POPI & PAIA Compliance

POPI & PAIA Compliance


The Protection of Personal Information Act (POPI) is just one of many Acts that govern South African law.  When looking at the requirements of the POPI Act, the requirements of other Acts should also be taken into consideration.

The Protection of Personal Information Act (POPI) and the Promotion of Access to Information Act (PAIA) hold a special relationship.  Both can be viewed as “information” laws and are each on one end of a continuum. On the one end, PAIA is an “Access” law, all about Freedom of Information. The POPI Act on the other end, is about privacy and prevention of exposure of information. They should not be competing, both rather, both are there to help ensure that information is managed correctly.

The POPI Act commenced on 1 July 2020.

Acts that may impact the POPI Act compliance process:

  • Basic Conditions of Employment Act 75 of 1997
  • Broad-Based Black Economic Empowerment Act 53 of 2003
  • Close Corporations Act 69 of 1984
  • Companies Act 71 of 2008
  • Compensation for Occupational Injuries and Diseases Act 130 of 1993
  • Consumer Protection Act, No 68 of 2008
  • Copyright Act 98 of 1978
  • Electronic Communication and Transactions Act 25 of 2002
  • Income Tax Act 58 of 1962
  • Intellectual Property Rights from Publicly Financed Research and Development Act 51 of 2008
  • International Standard for Records Management (ISO15489)
  • Labour Relations Act 66/1995
  • National Archives and Records Service of South Africa Act 43 of 1996
  • National Credit Act 34 of 2005
  • Promotion of Access to Information Act 2 of 2000 (PAIA)
  • Promotion of Administrative Justice Act 3 of 2000 (PAJA)
  • Protection of Personal Information Act 4 of 2013 (POPI)
  • South African National Standard for Records Management (SANS 15489)
  • The Constitution of the Republic of South Africa 1996
  • Value Added Tax Act 89 of 1991

In addition to these Acts, other Industry specific Act, Regulations, Codes of Practice should be considered.  In particular, the King Report on Corporate Governance, (King III and IV) should be considered.

The Promotion of Access to Information Act 2 of 2000 (“PAIA”) enables people to gain access to information held by both public and private bodies.  PAIA prescribes that every public and private body must publish an information manual to assist requesters who wish to access a record.

Although PAIA requires all private and public bodies to prepare a PAIA manual, a notice published by the Minister of Justice on 11 December 2015 exempts certain private bodies from compiling the manual contemplated in section 51(1) for a period of five years.  This exemption states that private companies with less than 50 employees or with a turnover of less than the amounts stipulated in the schedule in the notice will be exempt from compiling the PAIA manual until 31 December 2020.

This notice has allowed specific private bodies to be exempt from complying, however, once  this notice expires on 31 December 2020, all private bodies will need to submit their manual to the South African Human Rights Commission (“the SAHRC”).


If your company has a total annual turnover that is equal to or more than the amounts in the table below or you have 50 or more employees, you need to compile a manual.


Industry Turnover Threshold
Agriculture R6 million
Mining and Quarrying R22,5 million
Manufacturing R30 million
Electricity, Gas and Water R30 million
Construction R15 million
Retail and Motor Trade and Repair Services R45 million
Wholesale Trade, Commercial Agents and Allied Services R75 million
Catering, Accommodation, and other Trade R15 million
Transport Storage and Communications R30 million
Finance and Business Services R30 million
Community, Special and Personal Services R15 million

The RISKS of non-compliance are that your Information Officer will be liable to a hefty fine of up to R10m or face up to 10 years imprisonment, or both.

Three are 5 Action Steps towards POPI compliance, it does take time and requires a culture shift within the organisation.

Step 1 – Identify

Step 2 – Audit – compliance  risk assessment

Step 3-  Amendment – once you know what you have you can go about amending to close up any loop holes

Step 4 – Supplment – for example, what are the areas you have not considered that may be posing a risk to your business  i.e. Employees working remotely

Step 5 – Implementation and monitoring

We have partnered with VDT Consult to bring you data privacy, security, cyber and protection solutions to your business. VDT through their e-commerce site, www.popipack.co.za have an array of online legaltech products and also offer a wide range of bespoke offerings and legal and technical professional service solutions for organisations or persons looking to address their data governance and compliance requirements.

Should you require more information on VDT’s POPIA service offerings, please contact Hands-on Human Resources for a personal introduction or feel free to visit their website and contact them directly.

Upon check out of any of their online products, please make sure to apply the following coupon code (HANDSONHR01) to qualify for a 10% discount.

Supporting you to meet the 1 July 2021 compliance deadline in South Africa.

Get in touch – info@hohr.co.za

Spread the love
Natalie Leach, CHRP, is the Founder and Director of Talent at Hands on Human Resources. She has gained a comprehensive understanding of people management from 25 years of experience in various sectors both in-house and HR Consulting. She is passionate about self-improvement and empowering people and organizations to thrive. Hands-on Human Resources offers Virtual HR and Talent sourcing services to South African SMEs. Send an e-mail to info@hohr.co.za to book a call.

Leave a comment