The A-Z of the POPI Act

The Protection of Personal Information (POPI) Act came into full effect on the 1st of July 2021. If you still haven’t implemented your POPI compliance strategy, it is strongly advisable that you take quick and decisive steps to do so as non-compliance could carry hefty penalties. To ensure that you get your (POPI) act together, we’ve put together a handy list of A-Z* terms that you should consider in your quest for information protection.

A – Accountability: One of the 8 conditions for processing personal information, which governs that  both the means and the purpose thereof must be determined before processing can take place.

B – Big data: With modern data-practices where large quantities of information are constantly being processed in a short time, you will need to ensure that you have infrastructure in place to deal with these kinds of large-scale processes lawfully.

C – Consent: You need to provide your data subjects with enough information for them to make an informed decision on whether you may process their personal information. They may only be approached for consent once.

D – Data Subject: The legal persons/entities whose information you collect and process are called data subjects.

E – Eradication: When information is no longer used for the purpose it was collected, you will need to dispose of that information without a way to recover it.

F – Freedom: While POPI does restrict the liberty with which businesses have been processing data in the past, it is in fact aimed at rectifying the lack of freedom and privacy data subjects have been forced to deal with for much too long.

G – GDPR: The GDPR (General Data Protection Regulation) is the EU’s data protection law and is similar to POPI in many ways. Be sure to understand by which jurisdiction your data is regulated.

H – How: According to the POPI Act, the manner in which you process personal information must be pre-determined and communicated clearly to your data subjects.

I – Information officer: Every business should appoint someone to handle their data processes and take responsibility for ensuring compliance with the POPI Act.

J – July 2021: The POPI Act is lawfully enforceable from the 1st of July 2021.

L – Limitations on Processing: A variety of limits exist on the processing of personal information, including obtaining it from the data subject, gaining of consent, scope (you cannot collect excessive data), and more.

M – Marketing: POPI has a significant effect on marketing practices. And as such, traditional ‘grey areas’ in the processing and use of personal information are now much more ‘black and white’.

N – Notice: You must provide your data subjects with a notice of how their information is collected, processed, used and disposed of, as well as what the purpose of that information is.

O – Openness: The data subjects must always be able to access their data, be able to see what data you possess, and be able to make changes to their data.

P – Penalties and fines: Non-compliance is prosecutable, with fines of up to R 10 000 000 and imprisonment of up to 10 years.

Q – Quality of information: Personal information must always be kept accurate, complete, and up to date.

R – Regulator: South Africa has an Information Regulator who is empowered to monitor and enforce compliance to the POPI Act. It is an independent regulatory authority.

S – Security: As a condition for processing personal information, you are required to take all reasonable measures to ensure that the information of your data subjects is protected, secured, and encrypted.

T – Third-party processing: Your data subjects have to consent to the use of their information by third-parties and the details thereof must be clearly outlined before you collect their personal data.

U – Unsubscribe: Where you previously might have gotten away with sending unsolicited communication with the option to unsubscribe, now you will need to ensure that your data subjects opt in for communication.

V – Veracity: All the data you process must be accurate, and it is your responsibility to ensure that you update your databases regularly.

W – Why: The purpose for which you collect and process personal information must be clearly defined and communicated to data subjects.

Y – Yearly review: You will need to regularly review your POPI plan and ensure that your processing standards remain up to date. Therefore, it is advisable to review your data systems and POPI protocols at least once a year.

Z – Zero Trust (ZT) Architecture: As a security measure some companies have implemented ZT Architecture, which ensures that the authority and access to data is checked at every point of access and not just trusted because of the network through which it moves. This is not a requirement of POPI.

*Please note there are no entries for K or X.

To ensure that you have everything in place to protect yourself (as an information processor) and your data subjects (whose sensitive data you collect) with regard to the POPI Act, please get in touch with your trusted advisor.

This article is a general information sheet and should not be used or relied upon as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your financial adviser for specific and detailed advice. Errors and omissions excepted (E&OE)




We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies

IC Marais

Professional experience:

IC Marais is a certified CA (SA) with public sector and private sector technical knowledge based on 5 years’ Public Sector accounting, auditing and financial management experience and 5 years audit, tax and accounting experience. Detailed knowledge of private and public sector accounting and auditing standards (GRAP, IPSAS, IFRS, IAS, ISA) and public sector financial legislation (MFMA, etc.)

He enjoys the outdoors, hunting and fishing.


Professional experience:

In 1995, Schalk started as a trainee at Warner and Newton (which became Moores Rowland in 1997 and then Mazars Moores Rowland in 2007) in Bloemfontein. In 1998, Schalk was appointed as manager at Moores Rowland, where he became a partner in 2003. Schalk received his Postgraduate Certificate in Advanced Taxation in 2006 and in 2009 he received his Certificate in the Administration of Estates.


Professional experience:

Cedric started as a trainee at Warner and Newton (which became Moores Rowland in 1997 and Mazars Moores Rowland in 2007), Bloemfontein, in 1986. After completion of his articles, he joined the Special Investigations Division of the Department of Finance (SA Revenue Services) as a senior inspector from 1990 to 1991.


Professional experience:

Lucha started her career as a tax inspector at the Inland Revenue Department of New Zealand. After this she worked in commerce in Canada, Mexico and the United States.

On her return to South Africa, she completed her CA training contract with us and has been with Newtons ever since. She became a Partner in 2012.

Apart from her CA(SA) qualification she also holds a postgraduate certificate in Advanced Taxation (2005) and has the overall responsibility for training as our Training Officer.