Act no: 4 of 2013

Type: Principle-based

Purpose: To give effect to the constitutional right to privacy by safeguarding personal information processed by public and private bodies, subject to justifiable limitations that balance the right to privacy against other rights, particularly the right of access to information.

POPIA impacts any natural or juristic person who processes personal information. A juristic person can include large corporates, government, a partnership, association, trust, body corporate, company, or close corporation.

Any organisation that processes a lot of personal data. This could be an organisation in the public or private sector (like a bank or medical aid). Industries that are most affected are financial services, insurance, healthcare, retail (including online shopping sites), marketing (including direct marketing), banking, credit providers, medical aids, business process outsourcing, and telecommunications.

• Security Safeguards: A responsible party must secure the integrity and confidentiality of personal information by taking appropriate, reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access. [Section 19]
• Notification of Security Compromises: Where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator and the data subject. [Section 22]
• Information Officer Responsibilities: The information officer must encourage compliance with the conditions for lawful processing of personal information and must be registered with the Information Regulator. [Section 55]
• Prior Authorisation: Certain processing activities require prior authorisation from the Information Regulator, including processing of unique identifiers, information on criminal behaviour, or transferring special personal information to third parties in foreign countries that do not provide adequate protection. [Section 57]

An administrative fine not exceeding R10 million may be imposed for non-compliance. [Section 109]

Offences under POPIA may result in imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment. [Section 107]

The Information Regulator may issue an enforcement notice requiring a responsible party to take specified actions to remedy non-compliance. Failure to comply with an enforcement notice is an offence. [Section 95]

Trust in an organisation and its brand can be significantly damaged, leading to the potential loss of customers, contracts, and licence eligibility.

CyberProfiler: Your External Vulnerability Scan

Performs a safe, external scan of your public digital footprint to detect security weaknesses visible to attackers.

• Identifies vulnerabilities that could lead to unauthorised access to personal information, supporting the implementation of appropriate security safeguards. [Section 19]

DMARC: Stop Email Spoofing and Protect Your Brand

Enforces domain-based email authentication to block spoofing, stop phishing, and boost email deliverability.

• Enhances the security of electronic communications, reducing the risk of unauthorised access to personal information. [Section 19]

• Information Regulator: https://inforegulator.org.za/popia/
• Information Regulator: Security Compromises (data breaches) Reporting eServices portal
• Michalsons: Link to the Act in the form of a website: popia.co.za
• Michalsons: POPIA offenses, penalties and administrative fines: Michalsons Blog

(Links verified and active as of May 2025)

Where appropriate, we link to Michalsons’ expertly maintained legal resources and plain-language explanations. We gratefully acknowledge their role in making South African legislation more accessible and understandable.