by Nicozaan Finestone-Jordaan

Companies worldwide, from small to international businesses, are realising that information is an important strategic asset.  Businesses are devising new ways of collecting and leveraging information to their and their clients’ benefit. Client information gives businesses access to client behaviour, preferences and needs.However, holding personal information also has a flipside – in the wrong hands, sensitive, personal information can be traded and used by criminals to the detriment of the business and the individual.

Information breaches, such as that faced most recently by Liberty, are a cause for concern to both business owners and consumers. Consumers are becoming more aware of the importance of their information and who they choose to share it with. They want to know what information is collected, how it is stored and processed, and with whom it is shared.

In line with international best practices and regulations, such as the EU’s General Data Protection Regulation (GDPR), South Africa introduced legislation to regulate the collection, processing and storage of personal information. The Protection of Personal Information Act (POPIA) was introduced during 2014 to regulate the processing of personal information by private and public entities. Only certain provisions of POPIA came into operation, such as the establishment of the Information Regulator, who will oversee adherence to the Act. The provisions of POPIA dealing with the processing of personal information are expected to come into operation early next year. Entities will be granted a year’s grace to get their affairs in order, to comply with POPIA.

The purpose of POPIA

The purpose of the Act is to promote the protection of personal information processed by private and public bodies and to establish the minimum requirements for the processing of such information.

Information protected by POPIA

The personal information processed (for example, collected, stored, used, shared, archived) of any individual or a juristic person (for example, a company) will be protected under POPIA.

Personal information would include a person’s name, surname, identity number, age, address, and so forth. There is also a specific category of information, called special personal information, that includes information about children and other sensitive information (for example, religious or political beliefs and race) and provides for even stricter requirements for the processing of that information.

Minimum standards

POPIA identifies certain conditions for the processing of personal information. These include:

Implications for businesses

POPIA places an obligation on anyone collecting personal information to deal with that information in line with the requirements as set out in the Act. Considering that you collect, process and store vast amounts of personal information on a daily basis, it is of vital importance that you get acquainted with the requirements of POPIA and start planning how you will adapt your processes to ensure compliance. Non-compliance with the provisions of the Act can lead to major fines and even imprisonment.

It is important to realise that the protection afforded by POPIA to personal information does not apply to only your customer information; it also applies to supplier and employee information.

Treating all personal information with the necessary confidentially and ensuring its security, will result in people being more willing to do business with you and help you grow your business.

For more information regarding POPIA and data privacy, please contact:


Henning Pieterse | Partner


Areas of Expertise: Corporate & Commercial Law



Nicozaan Finestone-Jordaan | Associate


Areas of Expertise: Litigation | Dispute Resolution | Contracts | Commercial advice and agreements | Consumer rights and privacy


This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)