The Protection of Personal Information Act (or POPI Act or POPIA) is South Africa's equivalent of the EU GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons).
POPIA was signed into law in 2013. Officially, it has commenced from the 1st of July 2020 with a grace period of 12 months. From the 1st of July 2021, compliance to the POPI Act is expected, and shall be actively enforced.
The POPI Act protects natural persons and companies, and therefore, not only does it apply to big businesses, it applies to small, medium and large companies, as well as all individuals.
Personal information - is any type of information that relates to a person or that can identify a person, such as gender, race, marital status, nationality, ethnicity, sex, mental health, religion, sexual orientation language, education, financial, criminal, medical, employment, biometrics, DNA, retinal, blood type, email, telephone number, location information, private correspondence, opinions or views, name, ID number, etc.
The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect account numbers.
The Act regulates how personal information may be processed, by establishing conditions that meet international standards for the lawful processing thereof, namely: