IP/IT Law: POPIA, a Piece Meal

The POPIA (Protection of Personal Information Act) came into effect on the 1st of July 2020. Consequently, it is no longer a question of when she will arrive but rather: will you accept her invitation ensure you are compliant by 1 July 2021?

Ever since the POPIA became a topic of discussion, you have been inundated with warnings of compliance and general fearmongering on the consequences of non-compliance. Although there is merit in these warnings, POPIA-compliance is not as daunting as it may seem at first glance.

As the adage goes: How do you eat an elephant? One bite at a time. Depending on your organisation, compliance might indeed be an elephant, or it might be an impala. No matter the size, the process remains the same and we are here to assist you.

To start you off, we created the below flow chart. The POPIA-conditions are not selective, all must be adhered to. Consequently, should you answer no on any of these questions, you are not POPIA compliant.

1. Accountability: Have we appointed someone to ensure our lawful processing of Personal Information?
Yes / No

2. Limitation: Have we determined the reasons and minimum amount of Personal Information needed from Data Subject?

Yes / No

3. Purpose: Have we determined which of POPI’s processing purposes are applicable to us?

4. Further processing: Do we have a Plan of Action for when we need to process Personal Information further than originally indicated? Yes/No

5. Quality: Do we have a Plan of Action in place to ensure we collect & process accurate Personal Information?

6. Openness: Do we notify data subject that we collect their Personal Information and provide reasons

7. Safeguards: Do we sufficiently protect the Personal Information under our control against tampering, deletion and unauthorised access?

8. Safeguards: Do we send Personal Information across RSA Borders? If so, is it sufficiently protected there?

9. Safeguards: Do we have an agreement with third party(ies) that process PI for our business (including hosting of Personal Information?)

10. Participation: Do we have a process to assist Data Subjects to amend or delete their Personal Information?

Please note that the above flow chart is not the entire meal. It is closer to an entrée – providing a graphic overview of steps to assist organisations in better visualising and understanding the road forward.

If you answered “No” to any of the above-mentioned questions, contact Gerrie van Gaalen or Ingrid Opperman at dataprotection@dkvg.co.za.


Gerrie van Gaalen at gvgaalen@dkvg.co.za

Ingrid Opperman at iopperman@dkvg.co.za

For the main course, we created a checklist to identify the main ingredients, which upon completion, will get you to dessert – a perfect slice of POPIA-compliance. We will gladly work through the list with you, all you need to do is make a booking.

This article is for general information purposes and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact us At DKVG Attorneys for specific and detailed advice.