The Protection of Personal Information Act (POPI) is South Africa’s regulation governing data privacy for citizens of South Africa, parts of which were enacted in 2013 (the non compliance parts), but is currently not enforceable. A commencement date has been set for July 1, 2020, and companies will have until July 1, 2021 to comply.

While similar to the EU’s GDPR, there are some important differences. POPI changes the default consent from opt-in to opt-out, meaning companies DO NOT need to get prior consent to collect their information. In general, if you adhere to GDPR regulations you are also POPI compliant. Companies are not allowed to share collected information with anyone else or send marketing material without consent. They cannot share this information with any third party without consent.

If companies collect personal information, they must adhere to certain principles to protect it. If a company suffers a data breach, companies are liable for large fines. The threat is real and very imminent. The cost of non compliance can be fines up to R10 million in addition to possible jail time. It is important that companies have solutions in place to protect them from a possible data breach.

Non compliance for serious offenses impose maximum penalties of R10-million, or imprisonment for a period of up to 10 years — or a combination of both. For less serious offenses like hindering an official trying to execute a search and seizure warrant, the maximum penalty would be a fine, imprisonment for up to 12 months or a combination of the two.