What is POPIA (Protection of Personal Information Act)?

The Protection of Personal Information Act (POPIA) is South Africa's principal data protection law, signed in 2013 with full enforcement from July 1, 2021. POPIA applies to both public and private bodies that process personal information in South Africa, or that use automated or non-automated means in South Africa to process information, regardless of where the responsible party is located.

POPIA establishes eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. It introduces the roles of "responsible party" (analogous to data controller) and "operator" (analogous to data processor). The law applies to the processing of personal information of both natural and juristic persons (legal entities), which is a broader scope than many other data protection laws.

The Information Regulator serves as the independent supervisory authority and can issue enforcement notices, impose administrative fines of up to 10 million ZAR, and refer criminal offenses for prosecution with potential imprisonment. POPIA also requires responsible parties to appoint Information Officers and register them with the Information Regulator. Organizations can use ComplyIQ to manage POPIA's eight conditions for lawful processing and DiscoverIQ to map personal information holdings.