POPIA, newsletters and social media groups

Jul 10, 2021


South Africa 'woke up' to POPIA (the Protection of Personal Information Act) in a big way on 1 July 2021 - mostly because of the many, many emails and social media messages that did the rounds that day, claiming that this new law requires consent for direct marketing or to be part of a WhatsApp / Facebook group, and that a failure to unsubscribe will imply that such consent has been given going forward.

Well, not quite. POPIA is quite specific and strict when it comes to the issue of consent (in general) and consent for direct marketing (specifically). Whilst the Act does not apply retrospectively, the continuous processing of personal information obtained historically, is subject to the Act and its enforcement provisions as from 1 July 2021.

However, POPIA does not apply to all activities and communications involving personal information. 

  • There are some exclusions, such as using personal information in the context of purely personal /household...
Continue Reading...

POPIA: Processing employees' personal information and consent

Jan 17, 2021
Employers who have been thinking about updating the consent clauses in their employment contracts for the purposes of POPIA, should consider this carefully. It might be that your new clause ends up being invalid, if corresponding principles from the GDPR are applied similarly in South Africa.  
Processing of personal information is only lawful if it complies with the eight conditions specified in POPIA.          
In terms of the condition of "processing limitation", the following applies:

The processing of personal information must take place in a 'reasonable manner that does not unnecessarily infringe on the privacy of the data subject (s9).

Minimality - only the minimum amount of personal information that is necessary ('adequate, relevant and not excessive') for the purpose for which the information is needed, should be collected and processed (s10) 

Section 11 – Personal information may only be processed on one...
Continue Reading...

POPIA and collecting personal information during the recruitment process

Oct 26, 2020


Employers and recruitment agencies as a general practice ask for a job applicant’s current (or past) payslip when they apply for a new position. This has always been a contentious issue, but most job applicants disclose it if a prospective employer insists upon it, for fear of been side-lined if they challenge this request.

With the advent of POPIA, it seems that the shoe will be on the other foot, since such information constitutes personal information and at a minimum, the eight conditions for lawful processing must be complied with by the employer as the responsible party if it wishes to collect and use this information of a job applicant as the data subject.

The eight processing principles / conditions include –

  • minimality or processing limitation (only processing what is really necessary and relevant) and based on one or more of six lawful grounds;
  • for a stated purpose (purpose specification) that is based on and relevant to the legitimate activities of the...
Continue Reading...

POPIA and the Information Officer

Oct 18, 2020


In South Africa, the Information Officer (IO) is the person within an organisation (as the responsible party) who is responsible for compliance with PAIA (Promotion of Access to Information Act) and now also POPIA.

Who is the Information Officer?

This position is automatically assigned to the head of the organisation (such as the CEO, or a partner, or a sole proprietor in the private sector), who will be the Information Officer by default. There is however provision for designating and officially appointing someone in this position and for the appointment of Deputy Information officers to whom such powers and responsibilities can be delegated. The accountability however will remain with the Head of the organisation, regardless of a delegation of responsibilities.

It is also interesting to note that, different from the GDPR, POPIA does not make provision for the outsourcing of this position – i.e. appointing or contracting an external Information Officer. The position of...

Continue Reading...

Data protection and using Emails

Sep 26, 2020


A large proportion of an organisations’ IP typically resides in email. Email is also the main mechanism for a host of cyber-attacks, including malware, phishing and social engineering.

POPIA compliance and data protection in relation to the use of emails, relate to technology as well as how the system is used.

On the one hand it is crucial to ensure email data security and data leak prevention solutions are put into place.

In addition, users (such as employees) should be educated in terms of meeting POPIA requirements when they send, forward or reply to emails; and also how they react upon receiving them.

Developing a compliant email strategy requires an organisation to firstly identify and map the process of email data flow as well as the various components. Then, it needs to demonstrate that this data is protected and controlled and that the organisation is aware of all of the data touch points and storage points and who has access to it.


People / Users


Continue Reading...

POPIA - It's a journey, not a sprint

Sep 04, 2020


POPIA compliance is complicated. It is not something that can quickly be tackled and completed within a week, or even a few weeks prior to the compliance deadline of 1 July 2021. Such a thing as a 'POPI file' filled with templates and completed checklists sitting on a shelf or in folder, ready for a random inspection, will not cut it. Neither will a generic 'POPI Manual' or policy that you buy from a service provider. If you want to achieve actual compliance that will withstand court challenges, prosecutions, complaints and regulatory investigations, it will require a great deal more.  

While we are all too aware that POPIA may be the last thing on people's minds when they are struggling with sheer survival in the midst of the Covid-19 environment, we do believe that there is room for awareness and education on the topic, and a slow 'easing in' for organisations and individuals to become familiar with a POPIA-compliant landscape.


Continue Reading...

POPIA - Understanding the process

Jul 02, 2020


Most of the remaining provisions of the Protection of Personal Information Act have come into operation on 1 July 2020.

That means that the start of the anticipated 12 month transition period is 1 July 2020 and that the effective date for enforcement (the date by which organisations must be compliant) will be 30 June 2021. Although there will be no sanctions for non-compliance until that time, organisations must work towards compliance as soon as possible - and there is a lot to do.

It is expected that there will be further communications covering practical implications such as the registering of Information Officers. 

POPIA applies to all local and foreign organisations processing personal information in South Africa. The Act will impact on technology, policies, procedures and compliance frameworks across the business - including in ICT, HR and marketing.

What is POPIA?

POPIA is the South African version of the European...

Continue Reading...

50% Complete

Sign up for our mailing list

Be the first to know about new developments, training, news and special offers