087 470 0506 [email protected]

POPI Compliance Consulting

POPIA is the South African personal information privacy law, the Protection of Personal Information Act. All organisations collecting, processing and holding personal information have to comply with this law in a proportionate and demonstrable manner by the 1st July 2021. The Act has defined processing conditions which protects personal information through its entire lifecycle of processing; collection, transfer, storing, and deletion. For example, the collection of data of your clients, your prospective client or staff, was the person informed of what the information will be used for, was a lawful basis applied, and done so correctly, is extra information being collected? One of the primary conditions or principles is accountability, this includes the lifecycle of the personal information flow in an organisation. It means that the MD or the CEO of an organisation is accountable for facilitating the organisation’s entire privacy framework. These principals’ matter because they are the core of the Act, everything about the regulation is built around them.

POPIA and the 3 Parties

Lets get practical; we need to describe the roles of organisations and people in POPIA.

Data Subject is a juristic or natural person to whom the information belongs. Any linked information is what must be protected and only used for the lawful basis they have accepted.

Responsible Party is a public or private body or any person who requires personal information to be processed in order to meet the purposes of the permitted transaction.

Operator is a party who processes personal information for a responsible party.

The 8 Principles of POPIA


1st Principle:

ACCOUNTABILITY: The head of the company is ultimately responsible for the oranisations compliance to POPIA.


2nd Principle:

PROCESSING LIMITATION: The data usage must be lawful, minimal amount of information collected, processed and stored.

3rd Principle:

PURPOSE SPECIFICATION: Collected, used and retained for a specific purpose and period, related to your organisation’s activity and legal purpose.

4th Principle:

FURTHER PROCESSING LIMITATION: Further processing must be compatible and in line with with the original purpose for collection.

5th Principle:

INFORMATION QUALITY: Ensure that the personal information is current, complete and accurate.

6th Principle:

OPENNESS: You need to tell the person when you collect their personal information.

7th Principle:

SECURITY SAFEGUARDS: Measures and security tools to prevent loss of or unauthorised access to personal information.

8th Principle:

DATA SUBJECT PARTICIPATION: The original data owner (data subject) and they need to be able to access it.
These principles form the foundation of the regulation and all the actions and procedures that are required in order to meet compliance revolve around these, and that is why they matter. Note, the above principles are summarised above in a simple and easy to understand manner, further detail is available on each of these principles. Our Data Governance and Privacy Platform (privIQ) is a comprehensive tool for demonstrating compliance, mapping personal and sensitive personal information, governance and communication to all stakeholders, managing data protection, impact assessments and subject access requests, and reporting data breaches. Our collaborative cloud-based service will save you time and money by giving you the tools to document your efforts, educate your staff and manage the new processes required by the regulations under POPIA.