According to the IAB, while the sections will commence on Thursday, 1 July 2021, responsible parties — which includes both public and private sector entities — will have a one-year grace period to ensure compliance with the provisions.

Despite the grace period, responsible parties should be encouraged to begin the compliance process as soon as reasonably possible. POPI contains a number of important provisions that give effect to the rights to privacy and access to information.

The act has set out eight conditions for the lawful processing of personal information. These include:

1. Accountability

This requires that the responsible party must ensure the conditions for the lawful processing of personal information are complied with, at the time of determining the purpose and means of the processing and during the processing itself

2. Processing limitation

This requires that personal information must be processed lawfully and in a reasonable manner — and only if it is adequate, relevant and not excessive given the purpose for which it is processed

3. Purpose specification 

This requires that personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party; it should not be retained for longer than is necessary to achieve that purpose

4. Further processing limitation

This requires that the further processing of personal information should be compatible with the purpose for which it was collected

5. Information quality

This requires that the responsible party be required to take steps to ensure the personal information is:
  • complete
  • accurate
  • not misleading, and
  • updated where necessary.

6. Openness

This requires that the responsible party take reasonably practicable steps to ensure the data subject is aware of:
  • what personal information is being collected
  • the source of the information
  • the purpose for which it is being collected, and
  • the name and address of the responsible party.

7. Security safeguards

This requires that the responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures, having regard to generally accepted information security practices and procedures.

8. Data subject participation

This requires that data subjects be given the right to enquire whether personal information is held about the data subject, and be provided with the record or a description of the information held.

Data subjects may further request a responsible party to correct or delete personal information about them if it is:
  • inaccurate
  • irrelevant
  • excessive
  • out of date
  • incomplete
  • misleading, or
  • obtained unlawfully.
POPI also contains a number of other important provisions, including:
  • automated decision-making
  • cross-border data transfers, and
  • the processing of information relating to children.
The IAB says that, although POPI was signed into law in 2013, there have been a number of delays in its full implementation. In the current data-driven era, the protection of personal information is a critical imperative, as members of the public increasingly seek to demand agency over their data. 

For more information, visit You can follow IAB South Africa on Facebook or on Twitter.