The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. The act is important for the protection of information to protect people from harm. The act aims to protect people from theft of money, identify and their privacy (a fundamental human right). To achieve this, POPIA sets conditions for when it is lawful for someone to process someone else’s personal information.

POPIA involves three parties (who can be natural or juristic persons):

  • The data subject: the person to whom the information relates.
  • The responsible party: the person who determines why and how to process. For example, profit companies, non-profit companies, governments, state agencies and people. Called controllers in other jurisdictions
  • The operator: a person who processes personal information on behalf of the responsible party. For example, an IT vendor. Called processors in other jurisdictions.

POPIA places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of personal information. Responsible parties should only use operators that can meet the requirements of lawful personal information processing prescribed by the Protection of Personal Information Act.


There are two legal penalties or consequences for the responsible party:

  1. A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
  2. Paying money to data subjects to compensate them for the damage they have suffers.

The other penalties include:

  • Reputation damage
  • Losing customers (and employees) and failing to attract new ones

But your main motivation for complying with the Protection of Personal Information Act (POPIA) should be to protect people from harm. For more information on the new regulation please download the full PDF here.