Protection of Personal Information Act: don’t get caught by a curveball!

Previously the Information Regulator, Advocate Pansy Tlakula, requested President Cyril Ramaphosa to announce 1 April 2020 as the commencement date for the Protection of Personal Information Act (POPI Act). Since being signed into law on 19 November 2013, and published in the Government Gazette on 26 November 2013, the public and private sectors have waited with bated breath for the commencement date to be announced. Although certain limited sections of the POPI Act are already operational, those sections enforcing compliance and penalties are not yet in effect. Once the POPI Act does commence, entities will only have one year’s grace period to ensure compliance. Now is the time to ensure that your business is not caught by a curveball.

When is the new expected date?

Given the circumstances in respect of COVID-19 it is understandable that the POPI Act commencement date was not announced as 1 April 2020. Pending any further statements made by the Information Regulator we cannot say for certain when the POPI Act’s commencement date will be.

However, considering that Adv. Tlakula’s term is set to end on 1 December 2021 we believe that her office would want to ensure that the POPI Act is in full effect by then.

Therefore, given that the one year’s grace period will still need to run its course, we guesstimate that an announcement regarding the commencement date will take place sometime during the second half of 2020.

What’s the big deal with data privacy during the lockdown?

South Africans have been plunged into unchartered territory, with many entities needing to ensure that they adjust their way of operating to ensure that they survive the lockdown and financial consequences thereof.  These adjustments include the manner in which personal information of others is managed.

Data security amid the global coronavirus pandemic is more important than ever, with the Information Regulator, in a recent press statement, encouraging private and public bodies to strengthen their data privacy compliance measures, providing, amongst other things that, “Considering the prevalence of data breaches and cyber-crime in our country and globally, the Regulator calls on both public and private bodies to increase their security measures around their digital and physical operating systems so as to protect the personal information of everyone against unlawful or unauthorised access”. In addition, the Information Regulator issued a Guidance Note on the processing of personal information in the management and containment of COVID-19 pandemic.

It is therefore imperative for businesses and business owners alike to use this time to put sufficient systems, processes and measures in place to ensure compliance with the POPI Act as, once fully effective, the Act will place specific obligations on businesses to process personal information within the confines of its provisions.

Several jurisdictions around the world already have fully effective data protection laws, e.g. the European Union’s General Data Protection Regulations (GDPR), which the POPI Act was guided by. The operation of the GDPR and other countries’ data protection laws will no doubt serve as a notable illustration for how the POPI Act may, in its own right, operate and require entities to process personal information in general, and also specifically during a global health pandemic such as COVID-19.

Cyber-crime is also ripe during a lockdown with many businesses continuing or starting to function electronically even if their operations are severely limited. Don’t let your business become a statistic. Be proactive! You may not be able to control the global pandemic but your business can put measures into place to ensure that it continues to operate in a manner that protects its assets, upholds the constitutional right to privacy, avoids a breach of personal information and prevents unnecessary damages to its financial position and reputation.

What you can do now

Although compliance with the POPI Act is not a “quick-fix” exercise, as we have mentioned before, here are four things, as an absolute minimum, which you can do during the nation-wide lockdown to ensure that your business is not flattened by a POPI curveball:

  1. Get a privacy policy in place. If your business operates a website/ app/ other social media pages, it is more than likely that your business in some way processes the personal information of data subjects. It is therefore imperative for your business to have a privacy policy which not only protects your own interests, but also protects the rights of users to your platforms.This policy will inform users how your business may use their personal information when dealing with your company.


  2. Get a terms and conditions of use for your website and your products and services. These documents set out terms and conditions for making use of your company’s electronic platforms. In addition, such terms and conditions should regulate the selling of your products and/ or services to customers. These agreements are linked to each other and to the company’s privacy policy.They then, by the acceptance by a customer of such terms and conditions, effectively provide ‘consent’ by such customers for your business to process their personal information in accordance with the provisions of your company’s privacy policy.


  3. Improve your knowledge by doing an online POPI Act course. You may find yourself with some extra time on your hands given the compulsory nation-wide lockdown so, take advantage of this spare time and educate yourself to become knowledgeable on the subject of all things relating to the protection of personal information and how the POPI Act may affect your business in the way it currently operates.


  4. Get a PAIA manual in place for your business. The Promotion of Access to Information Act 2 of 2000 (PAIA) is the other side of the coin.PAIA regulates access to such personal information. It aims to uphold a person’s right to have access to information as contemplated in section 32 of the Constitution. PAIA requires entities (public or private) to have a manual in place that serves as a roadmap on how to request information/ records held by such entities.

Manage your data protection obligations today

We are not sure how long the COVID-19 pandemic will last or whether the lockdown will be extended again.  However, we are certain that once the lockdown has passed it is highly unlikely that it will be “business as usual”.

Once the grace period ends and the POPI Act is in full effect, businesses that fail to comply, irrespective of whether it is intentional or accidental, can face severe penalties. The POPI Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

In these interesting and unique times that we find ourselves in it is imperative that you remain in control of the controllable and that you are able to hit that curveball out of the park.

Our legal experts are working remotely and are available should you require advice and legal assistance to ensure that your current business systems, processes and operations are safe and secure and in line with the requirements of the POPI Act.

Visit for various technical and advanced privacy tools we have to offer in cooperation with our business partners.

VDT Attorneys, your go-to legaltech partner for everything related to the protection of personal information and data privacy.

©VDT Attorneys

April 24, 2020
Shining success in pivotal IT sector merger

Shining success in pivotal IT sector merger

In a landmark transaction that promises to redefine the landscape of South Africa’s information technology and telecommunications sector, the M&A Team of PH Attorneys played a crucial role in facilitating the acquisition of a leading cyber security software firm by a multinational enterprise software procurement company. This deal not only marks a significant milestone for both firms involved but also holds implications for the broader African market.

Leave to Appeal vs Special Leave to Appeal

Leave to Appeal vs Special Leave to Appeal

On 4 April 2024 in the matter of Savannah Country Estate Homeowners Association v Zero Plus Trading 194 (Pty) Ltd and Others (773/2022) [2024] ZASCA 40, our Supreme Court of Appeal (“SCA”) had to address the important difference between an application for leave to appeal and an application for special leave to appeal. In this article, we analyse the SCA’s views in this regard.

Sign up to our newsletter

Pin It on Pinterest