Unlocking opportunities from South Africa's Protection of Personal Information Act (POPIA)

28 February 2020

This blog post was updated on 26 June 2020

The Protection of Personal Information Act, 2013 ("POPIA") creates plenty of opportunities for organizations to up their game in protecting customer data and simultaneously delivering a better customer experience. Whilst some companies perceive POPIA as a threat, others see the legislation as a source of competitive advantage. What starts as a compliance programme often grows into a full-scale digital transformation journey that delivers significant competitive advantage to the organization. Kriel & Co and the attorneys from ENSafrica have jointly been advising clients over the past couple of years on preparing for compliance with POPIA and how to identify opportunities for organizational change that leads to a better and safer customer experience.

The purpose of POPIA in South Africa explained in brief.

  • South Africa has privacy legislation in the form of the POPIA. To date, the most of POPIA is still not in force and effect.
  • In Africa, only 15 of 54 countries have some form of privacy legislation in place.
  • In the absence of active and adaptive legislation (i.e. legislation that can quickly adapt to changes in technological advancements) the privacy rights of individuals and companies remain at risk. POPIA requires that a responsible party must ensure that the eight conditions for lawfully processing of personal information are complied with.

Chairperson of the Information Regulator, Advocate Pansy Tlakula, recently sent a request to President Cyril Ramaphosa to declare that the remaining provisions of the POPIA commence on 1 July 2020 ("commencement date"). It is expected that the President will act on the request. A responsible party (i.e., a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information) will then be given a one year transitional period after the commencement of the Act to comply with its provisions. This means that organisations will have to be POPIA-compliant by 30 June 2021. Non-compliance poses a significant threat to organizations which can range from 12 months to 10 years imprisonment for executives, a fine of R10 million - or both.

The driving force behind POPIA from a global perspective.

As we enter the 2020’s, the world is moving towards an era of greater regulation of personal data, privacy and the Internet in general. Questions around the individual’s consent on the use of personal information has gained significant momentum. One such example, introduced in May 2018, is the Global Data Protection Regulation ("GDPR") which provided a new set of rules to give EU citizens more control over their personal data. POPIA shares many similarities to GDPR in this regard.

The latter half of the past decade delivered a series of high-profile data breaches with significant volumes of personal information stolen from organizations both locally and around the world. One of the most prominent data hacks occurred at an American credit bureau agency, which saw the theft of millions of records containing US citizens’ identities.  

Data theft aside, consumers are gaining more knowledge on potential ethical concerns on how brands use personal information to deliver services or products. For example, social media companies have come under fire numerous times in recent years by regulators and governments for the way their platforms utilize personal information from end users to the benefit of advertisers.

As a result, consumers are increasingly losing trust in an organizationa's ability to manage and safeguard personal information. It is here where the opportunity lies.

The opportunities in POPIA for South African organizations:

  • POPIA compliance initiatives are typically ineffective as standalone programmes from a pure legal perspective as implementation requires an actual change in how people and systems operate. For compliance to be truly effective, most companies have to undertake significant changes to their systems and processes all along the customer journey – ranging from the company facing website straight through to internal systems and processes. Kriel & Co’s clients have been jointly advised by attorneys and management consultants, translating legal requirements into practical change management strategies for successful implementation.


  • Cyber security and related processes come under greater scrutiny, often requiring a formal review. ‘Privacy by design’ requires a new vision for enterprise architecture from the ground up, centred around customer data. Consolidating multiple data points from legacy systems and translating a Privacy Policy, Cyber Policy, Risk Response Plan and other policies related to POPIA compliance into employee knowledge is key.


  • Being POPIA compliant ahead of time not only creates significant internal efficiency for companies (consolidating data, systems and processes) but signals greater trust to clients with the knowledge that their brand of choice has pro-actively prioritized the security of their personal information. This commitment from a brand to its customer is in itself a form of competitive advantage during a time where many companies are still practically unprepared for the requirements of compliance with POPIA.