🇿🇦 South Africa · Data privacy
POPIA
Protection of Personal Information Act 4 of 2013
POPIA is South Africa's comprehensive data protection law, enacted in 2013 with core operative provisions commencing on 1 July 2020 and becoming fully enforceable on 1 July 2021. It sets eight conditions for the lawful processing of personal information and is enforced by the independent Information Regulator.
Jurisdiction:🇿🇦 South Africa
Type:Data privacy
In effect:2021
Authority:Information Regulator (South Africa)
Who it applies to
Public and private bodies (responsible parties) domiciled in South Africa that process personal information, and those outside South Africa that process personal information using means within the country.
Identity requirements
- Process personal information lawfully under one of POPIA's recognized justifications, such as consent or contractual necessity, in line with the eight processing conditions
- Uphold data subject rights including access, correction, deletion, and objection to processing
- Appoint and register an Information Officer with the Information Regulator and maintain accountability
- Implement appropriate, reasonable technical and organizational measures to secure the integrity and confidentiality of personal information
- Notify the Information Regulator and affected data subjects as soon as reasonably possible after a security compromise
- Obtain prior authorization or meet conditions for transferring personal information across South Africa's borders
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Lawful-processing conditions require clear consent or another justification and management of data subject preferences. |
| Breach notification | Responsible parties must notify the Information Regulator and affected individuals after a security compromise involving personal information. |
| Data residency & cross-border transfer | Transfers of personal information outside South Africa are allowed only where specified safeguards or conditions are met. |
| Audit, logging & accountability | An appointed Information Officer and accountability duties drive recordkeeping and oversight of personal information processing. |
| Authentication & MFA | The duty to apply reasonable security safeguards supports strong access controls and authentication over personal information. |
Penalties
Non-compliance can result in administrative fines of up to 10 million rand, and criminal offenses carry fines and/or imprisonment of up to 10 years for the most serious violations.
Official source
https://inforegulator.org.za/POPIA: frequently asked questions
- When did POPIA become enforceable?
- POPIA's main provisions commenced on 1 July 2020, and after a one-year grace period the law became fully enforceable on 1 July 2021.
- Who enforces POPIA?
- The Information Regulator (South Africa), an independent body established under POPIA, enforces the Act and also administers the Promotion of Access to Information Act (PAIA).
- What is the maximum fine under POPIA?
- The Information Regulator can impose administrative fines of up to 10 million rand, and serious criminal offenses can lead to imprisonment of up to 10 years.
Educational summary, not legal advice. Confirm current requirements with the relevant authority or counsel. See all South Africa regulations or the full country index.