South Africa


  • Service: Advisory, Tax
  • Industry: Financial Services
  • Type: Press release
  • Date: 2014/07/31

Does POPI matter? Getting to the truth 

The South African legislative environment is constantly changing - often before business has become completely comfortable with its obligations under the preceding legislation; a challenge for any company director.

It was no different when the Protection of Personal Information Act (POPI) was enacted in November 2013. Much fanfare was made in the press about the Act, but most especially about the “radical” changes that business is expected to adopt in order to be compliant. Almost every comment made noise about the fines that would be imposed if businesses failed to comply with its provisions.  But how much of this is hype?  And how has KPMG responded to the issue?

The facts


  • POPI applies to every private and public body (referred to collectively in this article as ‘companies’) , giving specific rights to natural and juristic persons in the way that their personal information is handled.

  • POPI will require changes to the way in which companies conduct themselves, possibly extensively and almost certainly differing from one company to the next depending on the nature of their business in terms of the use and processing of personal information.

  • POPI does provide for significant fines and criminal sanctions on companies, directors and other employees who fail to comply with its provisions.


The effective date for POPI has not yet been determined - save for the provisions relating to the establishment of the Information Regulator which became effective in April this year - but rumours suggest that we could expect this to come into effect in the second half of 2014.A good understanding of what the Act requires of each business is necessary to in order to take the  appropriate action to ready companies for POPI.

POPI: a snapshot

  1. Be aware that POPI will be applied broadly to a wide range of situations and will require an explicit considered assessment on a case-by-case basis

  2. Processing of any personal information must be lawful in terms of the eight conditions set out in the Act, generally requiring prior consent (that may be withdrawn at any time) and considered in terms of the purpose for processing

  3. Companies must identify a defined purpose to collect information and the ‘data subject’ must be made aware of this purpose

  4. Further processing of personal information (ie, beyond the original purpose) needs additional consent

  5. Data subjects have a right to be informed about what information is collected and who has access to that information

  6. Data subjects have the right to object to processing and are entitled to request access to, as well as the correction and removal of their personal information

  7. Responsible parties remain responsible, even where the information is transferred to another party for processing on their behalf

  8. All personal information must be complete, accurate and kept up-to-date.

  9. Companies must have a retention and destruction policy to deal with the requirements relating to the retention of personal information under POPI. Personal information cannot be kept any longer than is necessary to achieve the original purpose for which it was collected.

  10. Companies need to take specific security measures to maintain the confidentiality and integrity of the personal information, regularly monitoring and updating these, and notifying the information regulator and data subject of any breaches.


Clearly, there are many facets of a business that POPI touches on and, at first glance, may appear overwhelming to deal with at once.

KPMG has established a POPI Centre of Excellence focussed on bringing solutions to our clients which are uncomplicated and, of primary importance, make business sense.  The KPMG POPI Centre of Excellence is made up of a multidisciplinary team of attorneys, IT advisory, regulatory and compliance specialists. The team has broken down the various requirements of POPI, offering solutions which are adaptable to a client’s specific needs.

KPMG is able to provide the resources and expertise necessary to enable clients to ready themselves for the commencement of this legislation.  A primary part of this solution is a gap assessment of the client’s “as is” position and the required state for POPI compliance, taking into account the nature of the information being processed and the means of processing. The solution includes processes for identifying and prioritising the actions necessary to address any exposure for the client under POPI, as well as assistance with the implementation of the identified steps to ensure that the client’s policies, processes and systems are in line with the requirements of POPI and that clients are able to manage requests from data subjects for access to their personal information.

From a legal perspective, the contractual relationship which a company has with its suppliers, customers and its own employees is a key aspect of POPI. The legal team within the POPI Centre of Excellence supports the client in ensuring that its existing contractual arrangements are aligned with the provisions of POPI and that POPI is specifically catered for.

As a whole, the KPMG solution is a considered and proactive approach.  It has been developed to allow clients to continue to do what they are good at – running their business – while the KPMG team assists management with tackling what needs to be achieved for that specific business under POPI.




Nikki Pennel
Corporate Law Advisory Practice

Protection of Personal Information Act (POPI)

The KPMG POPI Centre of Excellence is focussed on bringing solutions to our clients which are uncomplicated and, of primary importance, make business sense.