Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up here

Start Now

South Africa’s Protection of Personal Information Act (POPIA) comes into effect on July 1st, 2021. We  have compiled a checklist of key requirements under South Africa’s POPIA.

  1. Appoint an Information Officer responsible for POPIA compliance:
    Organizations must appoint an Information Officer who will be responsible for encouraging compliance with POPIA. The Information Officer will deal with any privacy requests made to the organization and cooperate with the Information Regulator on investigations and compliance. Before starting their role, they are required to register with the Regulator.
  2. Identify the lawful basis for collection and use of all personal information:
    Organizations can process personal information only on a lawful basis. The processing of personal information should be adequate, relevant and not excessive to stated and intended purposes. Organizations must inform data subjects about the purposes of collection. Furthermore, organizations must ensure that the personal information they have is complete, accurate, and updated.
  3. Respond to data subjects’ data access and rectification requests:
    Under the POPIA, data subjects have the right to access their data and inquire about third parties who have access to the information. Additionally, data subjects can request to correct or delete their information. Organizations must respond to such requests as soon as reasonably practicable.
  4. Notify security compromises as soon as reasonably possible:
    POPIA requires organizations to notify security compromises to the regulator and impacted data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. Notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and restore the integrity of the organization’s information system.
  5. Have a written contract with the data operator:
    POPIA requires organizations to have a written contract with the operator/data processor to ensure that the operator will establish and maintain security measures for the protection of personal information in line with POPIA.
  6. Ensure adequate level of protection in cases of cross border data transfers:
    An organization cannot transfer personal information to a third party in a foreign country unless one of the following conditions is fulfilled:

    • There exists an adequate level of protection. In other words, recipients are subject to a law, binding corporate rules or a binding agreement providing an adequate level of protection that effectively upholds the principles similar to POPIA.
    • The data subject has consented to transfer,
    • The transfer is necessary for the performance of a contract between the data subject and the data controller,
    • The transfer is necessary for the performance of a contract concluded in the interest of the data subject, or
    • The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject.
  7. Maintain the documentation of all processing operations:
    POPIA requires organizations to maintain the documentation of all data processing operations under its responsibility. Such documentation will help organizations demonstrate compliance to the Regulator.

To learn more, download “What do you need to know about South Africa’s POPIA?” & get a detailed view into POPIA’s requirements.

Bedrock of your Privacy & Security

A Comprehensive Platform

Share this

Our Videos

View More

China’s PIPL

China has drafted its new data protection law, Personal Information Protection Law (PIPL) that will strengthen the regulatory framework for privacy and data protection in China.

Learn More
View More

South Africa’s POPIA

The video gives an overview of South Africa's Protection of Personal Information Act (POPIA).

Learn More
privacy policy and notice management View More

Dynamic Privacy Policies & Notices

Automatically Update & Refresh Your Policies and Notices

Learn More
View More

Universal Consent & Preference Management

Simplify and automate universal consent management

Learn More
View More

Cookie Consent Management

Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.

Learn More
View More

Sensitive Data Intelligence

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Learn More

Democratize your data without compromising security and privacy
Register Now