POPI Act for Dummies

POPI Act of 2020 also known as a Privacy Policy, is South Africa’s Law around data protection, specifically online and how it is kept, stored and distributed within an organisation. With information and data being processed at a rapid rate, it’s important that each country stays on top of its privacy policies and controls, to ensure the legal system is clear around online data and privacy. The POPI act requires that you register a business “Information Officer ” along with a declaration on the data collected, source and why you are collecting the data. It also allows there to be a data tracking system, where they will be able to clearly see who uses what data where, hopefully helping expose data leaks faster in the future. 

There is no reason to panic as a business or as an individual when it comes to the POPI act and being compliant, we will give you a summary right here along with a template to use for your POPI Policy. Starting with, how does a business go about identifying all its data sources. While easy for small businesses, this can be a daunting task for larger firms. 

Here is the basic POPI procedure to follow, to get any big or small corporation, in line with POPI. 

  1. Register businesses POPI information and declare information officers here:  justice.gov.za/inforeg/portal
  2. Send your POPI Act Policy to current suppliers and customers.
  3. Display your POPI Act Policy on your website.
  4. ALWAYS ensure your company data is well protected and secure, NEVER sell your data to any corporation or individual, this is a criminal offence. 

While the above is easy enough, it’s important that your business ensures they are POPI compliant and safe. How do you even begin to do this, we are going to tell you… 

Name Information Officors 

How this is done is completely up to the business. There is a lot of responsibility involved in the role, and the decision should be made with caution as this person will be held responsible for answering your businesses data questions to the Act. They are the official data officers for your organisation. Depending on your business size will give you an idea on how this should be handled. For larger organisations it’s better to name an information officer in each department. Whereas smaller businesses could manage with only one or two. This decision is entirely based on the amount of data source areas that need to be located and managed within the organisation. Once you have information officers identified, you may then get them to record all data sources they will be responsible for. Breakdown on how to easily collect and manage company data below: 

Record all data sources 

Step 1 – Note down all areas of business (sales / marketing /ops.. etc)

Step 2 – Identify each area of data collection or data release within each department. (Banking / social accounts / suppliers) 

Step 3 – Once all areas of data sources are allocated, put them on a list and identify in each data area WHAT information is being shared and WHY,.So whether it’s the clients information or the service provider receiving information on the client or on the business in question. HOW it is being used. WHO is in charge of this data. 

EG1: Marketing – facebook – Email – Marketing manager 
EG2: Operations – DHL – Client info (NAP (name/address/phone)- Ops manager 

Once you have identified all the above information for your whole organisation, you will have a very clear diagram of data collected, why and how it is stored and used within your organisation. This will also allow you to identify any weak points that would need to be looked at or areas that are not protecting your clients or your data. 

POPI Act Company Policy

Once all this is identified your business will be able to draw up a POPI POLICY, which is part of the POPI Act regulations. This is a detailed document that outlines how data is stored and kept safe within the company. It details information on backups of data within the company. This should be easy to draw up after completing the diagram of all data points within the business. This document is to be sent to all your clients and suppliers, so that they are aware of how your data is being used. This is known as the POPI Act Policy. 


It’s important to display your POPI policy on your website via your Privacy Policy page. This is to ensure you’re protected with the right to access policy. This is where all international sites look for this kind of information. 

Register on POPI website 

Once you have all the above together you can then begin the process of registering and ensuring your complaint within SAs new privacy act here: justice.gov.za/inforeg/portal. 

The POPI Act was put in place in July 2020, with one year to comply, hence why POPI is trending. Do not panic if you missed the deadline, please do go ahead register and complete the process, to ensure no future penalties. 

Should you decide to not register your business with the Information Regulators, we highly suggest you ensure you have a Privacy Policy Page on your website or that you send along a draft of the BASIC PRIVACY POLICY document we have made available to all clients and suppliers. 

We have put together a basic POPI act policy, for you to begin with. Please download it here and edit it using Microsoft Word. Please ensure to edit all yellow highlighted areas, to relevant information according to your company’s data site map. Should you still have questions, please don’t hesitate to contact us or should you want to add a privacy policy page to your website, please email us on info@blogaboutbusiness.online for a free assessment. 

For in depth information on the POPI Act please read – https://popia.co.za/

Be the first to comment

Leave a Reply

Your email address will not be published.