Avatar photo

By Faizel Patel

Senior Journalist


How PoPIA is changing the way you work

President Cyril Ramaphosa officially signed the Cybercrimes Act into law in June last year.


The Protection of Personal Information Act 4 of 2013 (PoPIA) had made many think twice about what they share on social media and other platforms.

President Cyril Ramaphosa officially signed the Cybercrimes Act into law in June last year, which stipulated it was a crime to send certain types of harmful WhatsApp message or texts on social media and other online platforms in South Africa.

The Information Regular, who oversees all PoPIA compliance in South Africa, gave organisations a 12-month grace period to get everything in order and implement the measures required to comply with the Act.

Paul Raath from Bizmod Consulting said despite eight months after the grace period granted by the Information Regulator, many organisations are still in the process of getting their PoPIA compliance in order, and just as many if not more are yet to even start.

“After all we have and continue to go through, it is easy to feel overwhelmed when faced with what many see as a compliance tick-box exercise. But the PoPI Act is so much more than that. It’s also far less daunting than we imagine.”

Raath explains what companies need to know about PoPIA and how it changes the way they work.

What is PoPIA, now?

Personal Information (PI) belongs to the person it pertains to, not the party that collects it. 

Our PI has become a much-desired commodity, with some groups willing to go to extraordinary lengths to get their hands on data.

To counter this, organisations are required to have in place security measures that ensure all PI collected from customers, employees and third parties are kept safe.

The Act identifies various conditions and special conditions that prescribe how organisations are expected to go about securing the PI. The Act does not prohibit organisations from collecting this, but it does set strict standards for what is collected and how the data is secured.

What does this mean?

PoPIA need to viewed as a means to embrace business best practices and responsibility.

Ultimately, the Act requires organisations to:

●            Only collect the PI they absolutely need to conduct business;

●            To keep that PI secure while in their possession;

●            To better manage their customers’ direct marketing consent preferences; and

●            To keep a closer tab on weak points in their information flow.

“These are all aspects an organisation would want to optimise anyway, as it can have a positive impact on not just operating costs but also earnings,” said Raath.

How PoPIA works

  • If you collect only the information you absolutely need, you will not have to pay to store the excessive PI;
  • If you up the security of your systems and access, you are not only protecting PI but also the company information from outside attack;
  • By better managing your direct marketing preferences, you are able to engage with existing and potential customers on terms where they are more open to engaging with your products or services; and
  • If you follow the chain to identify your privacy weak points, you ultimately build a stronger organisation in more aspects than just the protection of PI.

Raath said the simplest way to look at PoPIA is to work towards getting your organisation in a state of privacy awareness.

He noted that employees also needed to consider privacy concerns in their day-to-day duties.

ALSO READ: Telkom, Icasa reach settlement over high-demand spectrum

For more news your way

Download our app and read this and other great stories on the move. Available for Android and iOS.