Hero background
Afrikaans Careers Contact Insights Login

Is POPI Applicable To My Small Business?

By BVSA, 26 March 2019


The Protection of Personal Information Act ("POPI") is legislation with the purpose of protecting personal information processed by public and private bodies. Therefore, POPI applies to all bodies in the private and public sectors.

Personal information is defined very broadly to include any unique and/or identifiable characteristic of a person. This includes but is not limited to information regarding race, gender, marital status, health, finance, educational or medical history, views or opinions, correspondence of a confidential nature, contact details, and biometric information.


A private body is defined to include natural persons that trade in their own name, partnerships, and legal persons. A public body includes any department of state or administration in the national and provincial spheres of government, any municipality in the local sphere of government, and any other functionary or institution exercising a public power or function in terms of any legislation.


POPI lists eight conditions for lawful processing of personal information: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

Processing is any operation or activity, whether by automated means or not, concerning personal information. This includes the acts of collecting, recording, organising, storing, updating, distributing, and deleting, personal information.

The Act also refers to information that is recorded, and includes writing on any material, book, map, or drawing, and information produced or recoded on digital equipment.


Practically, considering the eight principles addressed by the Act, when a body acquires your information with your consent, it must be used for the purpose and extent for which it was acquired. Then the information must be safeguarded against theft or from being compromised to ensure the integrity and accuracy of the information.

The Act also changes the manner of consent that involves direct marketing to avoid unsolicited commercial communication with the "opt-in" mechanism, opposed to the "opt-out" mechanism. This means that you must choose whether to receive commercial communication, as opposed to receiving it first and then having the option to opt-out. The Act also provides a prescribed manner and form for the consent to be obtained regarding marketing material.

Only certain sections of the Act are presently in force, but the whole of the Act will be in effect once the president proclaims the date. It is speculated that this will probably be towards the end of 2018 with a one-year grace-period, meaning that the Act's deadline will probably be towards the end of 2019 or 2020.


Don't delay compliance with the Act, as non-compliance has serious consequences. The Act lists offences which, when found guilty, could result in fines of up to R10 million or 10 years' imprisonment.

Contact BVSA legal services today to assist with compliance in this new era of information protection!

Please contact one of our expert advisors for further information.

The above-mentioned is for information purposes only and is in no way advice. Boshoff Visser Konsult (Pty) Ltd. encourages readers to get in touch with an expert financial advisor before making any decisions.