Compliance Briefing — July 1, 2021

Executive briefing: The Protection of Personal Information Act, 2013 (POPIA) entered full enforcement on 1 July 2021 after a 12-month grace period. All responsible parties processing South African personal information must now evidence lawful processing bases, operator agreements, information officer registrations, and breach notification within reasonable timeframes.

Key compliance checkpoints

• Accountability and lawful basis. Maintain processing registers tied to the eight POPIA conditions, documenting consent, contractual necessity, or legal obligations.
• Operator management. Execute written contracts with operators (processors) that bind them to POPIA security safeguards and incident escalation.
• Breach notification. Notify the Information Regulator and affected data subjects as soon as reasonably possible after discovering a compromise per Section 22.

Operational priorities

• Information officer readiness. Register information officers and deputies with the Regulator and document delegated responsibilities.
• Data subject rights. Implement workflows for access, correction, objection, and deletion requests within POPIA timelines.
• Security safeguards. Conduct risk assessments and implement technical and organisational measures aligned with Section 19 requirements.

Enablement moves

• Roll out training for frontline teams on identifying and escalating potential breaches or rights requests.
• Integrate POPIA controls with GDPR and LGPD programs to streamline multi-jurisdictional compliance.
• Establish evidence repositories for operator due diligence, DPIAs, and incident logs ahead of Regulator audits.

Sources

• Information Regulator reminder on POPIA enforcement
• Protection of Personal Information Act, 2013 (Act No. 4 of 2013)

Zeph Tech supports South African operations with processing inventories, operator governance, and incident readiness tailored to POPIA.