POPIA/ PAIA
We provide guidance on achieving compliance with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA). We assist in developing data protection policies, conducting compliance audits, and implementing processes to safeguard personal information.
Frequently asked questions
Protection of Personal Information (POPIA & PAIA)
At Pinion Human Capital, we are committed to helping your organisation stay compliant, protected, and informed. This document outlines the essentials of POPIA and PAIA compliance and how our full-service solution supports your compliance journey.
What is the POPI Act (POPIA)?
The Protection of Personal Information Act (POPIA) governs how personal data is collected, stored, used, and shared. It protects individuals’ data rights and promotes responsible, lawful data handling.
What is the PAIA Act?
The Promotion of Access to Information Act (PAIA) gives individuals the legal right to access information from public and private entities to ensure transparency and accountability.
Who Must Comply?
POPIA applies to any public or private body or person who processes personal information in South Africa.
Example:
- A trust – trustees and beneficiary details are stored and processed
- A company/sole trader/CC/Non-Profit that has any customers, employees, suppliers or stakeholders
Who must ensure that the business complies with these acts?
The Information Officer.
Who should be appointed as the Information Officer?
The Information Officer of a business will be the Chief Executive Officer, Owner or equivalent officer, or any person duly authorised by the business.
Where do I lodge a complaint in case of a breach?
You can lodge a complaint on complaints.IR@justice.gov.za.
What is the role of the Information Regulator?
POPIA provides the Information Regulator teeth, granting it broad authority to investigate and penalize at-fault parties. The Information regulator registers the Information Officer, collects PAIA manuals and updates, receives complaints and acts on behalf of complainants.
I run a small business with few staff members and clients. Why must I adhere to the POPI Act?
The Act does not distinguish between small, medium and large businesses. Everyone is measured according to the same standard. All businesses and entities such as schools and churches have Personal Information in their possession and process such information and must comply.
What is the benefit for me or my business when I comply with the POPI Act?
The benefit lies in the fact that you are operating lawfully in terms of South African legislation. It demonstrates an entities principals and ethical values. Consumer confidence studies have shown that in 90% of cases, consumers prefer to do business with companies that are ethical, transparent and comply with legislation.
What are the consequences of Non-Compliance
- Fines up to R10 million
- Imprisonment up to 10 years
- Civil lawsuits
- Being barred from processing data
- Reputational harm
- Directors may be declared unfit to serve
Example: Liberty Life suffered reputational and regulatory fallout in 2021 after a major data breach.
Common POPIA Breaches
- Sending personal info to the wrong email recipient
- Losing unencrypted laptops or devices that have personal information saved
- Collecting data without consent
- Storing un-shredded sensitive data in general waste
- Hacked databases or weak IT safeguards
How a PAIA Breach Can Occur
- Refusing or delaying access to records without just cause.
- Failure to publish or update your PAIA manual.
- Not submitting the required annual PAIA report.
- Not responding to a request for access within the specified timeframe
Case Example:
In 2022, Dis-Chem was found guilty of breaching POPIA after a cyber-attack exposed the personal data of 3.6 million South Africans. The Information Regulator warned that failure to protect personal information could lead to fines of up to R10 million or imprisonment.
Consequences of a PAIA Breach
- Court orders compelling information release.
- Contempt of court charges for non-compliance.
- Potential lawsuits and reputational harm
Ready to Get Compliant?
Let us help you protect your business, reduce risk, and build trust.
See table below for steps to get compliant, and how Pinion can assist you with this.
| Compliance Steps | PINION HUMAN CAPITAL (PHC) responsibility | CLIENT responsibility | |
|---|---|---|---|
|
1 |
Registration of IO and Deputy IO |
Register and keep updated records of the IO and Deputy IO on profile. |
The client will supply update records as information changes. |
|
2 |
POPI Manual: |
Develop a POPI Manual that outlines the policies, procedures, and guidelines required for compliance with the Protection of Personal Information Act (POPIA). |
The client’s CEO to approve manual and sign off. The client to communicate information sections of manual to all employees processing information. |
|
3 |
Compliance Audit: |
PHC will, in conjunction with client, will populate a compliance audit and keep a live worksheet. |
The client will provide information to complete the audit using worksheets. |
|
4 |
Policies and Procedures |
Development policies and procedures required for compliance. This includes creating notices to data subjects, a privacy policy, notices to employees, an Information Technology (IT) policy, a document retention policy, disclaimers, and internal POPI compliance measures such as consent forms and general agreement clauses. |
Client to a) approve and sign off policies. b) distribute policies to its clients, suppliers, contractors, and any other processors. c) update systems, employment contracts and other official contract, document that requires POPI updates as recommended by PHC. |
|
5 |
PAIA Manual A |
Prepare PAIA manual. |
Upload PAIA manual to their website. |
|
6 |
Annual PAIA Reporting |
Submit annual PAIA Report to information regulator. |
Client to approve final submission. |
|
7 |
Internal Training |
Schedule an Internal training session on policies and procedures. |
Client to make Employees available to attend training as per Information |
Contact us today to begin your compliance journey.
Pinion Human Capital – Your Trusted Compliance Partner.
Key takeaways
In light of all the recently published enforcement notices, what lessons can institutions handling personal information learn? There are five key insights:
- Training is crucial: In most of this year’s enforcement notices, the Regulator has asked for evidence of POPIA awareness training. Therefore, it’s essential to train all employees on POPIA. In terms of Regulation 4(1)(e) of the Act, it’s the information officer’s responsibility to ensure internal awareness sessions are held regarding POPIA provisions, regulations, codes of conduct or information obtained from the Regulator.
- Maintain an up-to-date risk management plan that addresses privacy and security risks: This can include a risk register to identify and record foreseeable internal and external privacy and security risks your business may be exposed to. Outline what steps you will take to mitigate these risks to prevent breaches and safeguard personal information in your possession or control.
- Plan for your response: Ensure that you have an incident response plan in place, and that your staff members know what to do in the event of a security compromise. This plan should include the necessary steps for notifying both the Regulator and the data subjects (unless their identities cannot be established) as required in terms of Section 22 of POPIA.
- Third-party service provider contracts: Maintain written contracts with all third-party service providers who process personal information on your behalf. These contracts should also address security measures that the third party will maintain in terms of Section 19 of POPIA.
- Implement a compliance framework: Ensure that you have in place a compliance framework in terms of Regulation 4(1)(a) of POPIA. This framework can include policies, procedures and controls for ensuring POPIA compliance in your business.
Proactive POPIA compliance
With cybercriminals continually developing innovative ways to gain access to personal information, data breaches pose a real threat to companies and institutions.
To safeguard against these threats, entities handling personal information must sharpen their cybersecurity measures. Equally important is maintaining robust procedures and practices to ensure POPIA compliance. Failing to do so can cost you dearly in terms of administrative fines.
What’s more, POPIA compliance goes a long way in protecting your clients’ personal information and limiting the fallout – including reputational damage to your business – should a data breach occur.
Speak to one of our experts
Natassja Barnard
natassja.barnard@pinionza.com
+27 (0)82 437 1498