Frequently Asked Questions!

What is the Protection of Personal Information Act?

The Protection of Personal Information Act, generally known as the PoPI Act or POPIA, intends to promote the protection of personal information processed by public and private organisations and to introduce certain conditions so as to establish minimum requirements for the processing of personal information.

Who has to comply with the Protection of Personal Information Act?

The Act applies to any person or organisation who collects and uses any data relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.

What is the role of the Information Officer?

The Information Officer is responsible for ensuring that your organisation complies with the POPI Act. They must be registered with the Information Regulator.

Can companies email or send SMS to prospective customers to sell them products or services?

Under the POPI Act you only be able to direct market to people on an opt-in basis. You can contact someone only once to get their consent to send them more communication.

Does being ISO 9000-2001 compliant make us POPI compliant as well?

Being ISO 9000-2001 compliant does not make you POPI compliant. ISO 9000–2001 is an international standard and the POPI Act is a legislation. Meeting the ISO 9000-2001 standard aids you in meeting security compliance. However, an organisation can have security without privacy, but you can't have privacy without security. There are specific privacy requirements as laid down in the principles of the POPI Act that you as an organisation needs to comply to, to become POPI Act compliant.

How long can we keep Personal Information?

You will need to draw up a Records Retention Policy detailing how long you retain PI and other confidential information for all data subjects. Personal Information must be kept only for as long as to fulfil the intended purpose for which the information was collected or processed.

What is the penalty is I'm found to be in breach of the POPI Act?

If you are found to be misusing personal information you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation. The Information Regulator may hold you liable to pay a fine of up to R10 million and/or serve a prison sentence of 12 months up to 10 years.

Get Started With POPI Support Today

We offer an array of online and offline services to help you build your POPI compliance.
Click on the "Get Started" button below to kickstart the conversation.