What Is the POPI Act?

Learn how to become compliant with South Africa’s Protection of Personal Information Act (POPIA)

Get Started

What Is the Purpose of POPIA?

South Africa’s Protection of Personal Information Act (POPIA) aims to give the citizens of South Africa more control over their data and require that organizations do more to protect the personal data they process.

Under the law — which became enforceable on July 1, 2021 — “processing” personal information includes collecting, receiving, recording, organizing, retrieving, using, disseminating, distributing, or making it available.

POPIA Regulations

Among other data privacy and protection measures, POPIA:

  • gives South African data subjects nine actionable, enforceable rights over their personal information — including the rights to access, correction, and deletion
  • requires that companies follow eight minimum requirements for data processing (e.g., requiring consent as a legal
    basis)
  • creates a broad definition of personal
    information
  • establishes the enforcement and supervisory body South African Information Regulator (SAIR), with broad powers to investigate and fine responsible parties

Who Does POPIA Apply To?

POPIA applies to any organization that:

  • processes personal information in South Africa
  • is domiciled in South Africa
  • is not domiciled in South Africa but that
    processes personal information in South Africa

Unlike GDPR, which requires compliance of any organization that processes personal data of data subjects within the EU, POPIA requires compliance of any organization that processes personal information within the country.

What Is Considered Personal Data Under POPIA?

POPIA defines personal information broadly, as “any information relating to not only a living person but also a company or legal entity.”

However, in a point of ambiguity that could lead to enforcement difficulties and possible abuses, POPIA also allows companies to process data if it’s deemed in the user’s “legitimate interest.”

Companies who are noncompliant with POPIA can face fines of up to 10 million ZAR — and even criminal penalties and prison time.

What Is the Difference Between GDPR and POPIA?

While POPIA is modeled after GDPR, there are some key differences between the South African and EU laws. They include:

  • POPIA protects companies as “juristic persons,” while GDPR only protects individuals
  • POPIA focuses on the location of processing rather than the location of the data subject (GDPR).
  • POPIA requires companies to appoint an Information Officer and Deputy Information Officer, whose roles differ from the GDPR’s Data Protection Officer
  • POPIA requires breach notification within a reasonable time period — and GDPR within 72 hours
  • POPIA requires DSAR response within a reasonable time frame — and GDPR with a month at the most.
Read more about POPIA vs GDPR

BigID Solutions for POPIA Compliance

  • Discovery-in-Depth

    Discover all personal data and sensitive information of South Africa residents — wherever it is stored across the enterprise.

  • Next-Gen Data Classification

    Data classification re-imagined for the modern data landscape — for all data, everywhere.

  • Correlation & Graph Technology

    Automatically establish how identifiable data relates to a resident’s identity — and uncover data relationships.

  • Data Rights Automation

    Automate end-to-end data rights, quickly locate all data kept on an individual, and manage subject access requests at scale.

  • Data Processes and Sharing

    Manage, monitor, and validate data processing and sharing activities across your entire data environment.

See it in Action

Awards & Recognition

Industry Leadership

Future of Privacy Forum Logo
World Economic Forum Logo
EDM Council Logo
IAPP Logo
Cloud Security Alliance Logo
IT-ISAC logo
EDM Council CDMC Certified Solution Logo