Jul 21, 2020 | Articles, Cyber Security, GDPR, ISO


Howard Freeman

Howard Freeman

yellow and black spiral light


The EU’s General Data Protection Regulation (GDPR) took effect on 25 May 2018 – as heralded by the million-or-so “We’ve changed our Privacy Policy” messages we all received at the time and continue to do so. Whilst organisations across the EU scrambled then and still struggle today to get their affairs in order, in South Africa we received e-mails telling us that we must become GDPR compliant by the deadline. But was and is this true for South Africa? With POPI now partially in law, what should South African businesses be doing?

The GDPR is an European Union regulation and does not have general effect in South Africa. It is not a local law in this country. However, parties that process personal information in South Africa may have to comply with the GDPR. This is because the GDPR does have so-called “extra-territorial application”.

Does this matter in South Africa?

A person or entity in South Africa will need to comply with the GDPR’s requirements if they process personal information of someone based in the EU. But, this will only be the case if the information is processed in relation to the offering of goods or services or the monitoring of behaviour that takes place in the EU. For example, you will need to comply with the GDPR if you sell products to people in the EU or if you have a website that tracks the behaviour of people in the EU by using cookies.

Even though the GDPR might not apply to you, it is still a good time to start getting ready for POPI – South Africa’s own data protection law. POPI is based on the GDPR’s predecessor, the EU Data Protection Directive. There are also many similarities between POPI and the GDPR. Simply updating our Privacy Policy is not compliance.


Why it is vital that companies practically understand POPI and the consequences of not doing so now.

It is important to do a high-level analysis of the personal information in your company before embarking on the POPI implementation journey. Companies should be doing this now and not waiting for the 1st July 2021.

Organisations should have already started to identify the risk areas and be working on these. Alongside this activity, there should be a task team that takes on the responsibility for POPI compliance and readiness. We can help form the test team. Contact us here to find out more.

There are many misconceptions surrounding POPI. Many people do not even realise that POPI is not yet properly in force. Organisations need to understand when POPI will apply to them, and when not. If they understand how POPI works, they can adapt their processes accordingly.

Some organisations will be able to remove some of their activities from POPI’s reach by making simple changes. For example, if data falls outside the definition of “personal information”, the relevant data will not be covered by POPI’s provisions. Accordingly, some organisations can change their data-gathering habits to avoid collecting personal information. Your Privacy Policy will need to reflect this.

So, what are the three key factors to consider when preparing for POPI?

  1. Determine what kind of personal information you are processing and why you are processing it.
  2. Accept that POPI compliance is necessary to avoid fines and reputation damage. Also accept that it can also make your business more efficient and streamlined.
  3. It will be important to raise awareness in your organisation. It makes it easier if people in your business are familiar with POPI’s requirements and know where the issues lie.

If your organisation retains large quantities of personal data, you need to identify the various types of information being collected and retained. Then you can decide whether you can limit your collection and retention practices. Determine whether you need all the information currently being retained and whether some of it can be deleted.

Are you ready for POPI? Contact us here to learn more.


Can we help?