Are you uncertain about the POPI Act in South Africa and need your questions answered? We will be answering the top 7 most frequently asked questions to help you understand the basics.

You might have heard of the POPI Act but you’re not quite sure what it all means. We have found the most frequently asked questions about the POPI Act and answered each question to help you better understand and prepare. 

The POPI Act is complex and can be hard to summarise as it has a broad impact on many industries. However, having a basic understanding will already give you a knowledge boost as well as bring you a step closer to implementing it. 

In this blog, we will cover the top seven questions which also includes a section about the effect that the POPI Act has on medical practices. 

Table of Contents

  1. What is the POPI Act?
  2. Has the POPI Act been Enforced? 
  3. What is Personal Information in terms of the POPI Act? 
  4. Who will be impacted by the POPI Act? 
  5. How Will it Affect Medical Practices?
  6. What Happens if I Don’t Comply with the Act?
  7. POPI Act vs GDPR? 

#1 What is the POPI Act? 

The abbreviation is otherwise known as, the Protection of Personal Information Act. The POPI Act is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR). 

The main goal of the POPI Act is to protect data subjects from security breaches, theft, and discrimination. You can visit the South African Government website to find out what the rest of their aims are for this Act.  

It will include conditions for the lawful processing of personal data of South Africans (both South African citizens and those living in South Africa). The Act includes eight general conditions and three less descriptive conditions.

#2 Has the POPI Act been Enforced? 

Out of all the questions, this one has been asked and asked again – and each time the answer seems to keep changing. POPIA was signed by then-president Jacob Zuma on the 19th November 2013 and was published in the Government Gazette on 26 November 2013. 

Parts of the law became effective on 11th April 2014, while the rest of the law was still inactive on the books in 2019. Once the Act becomes formal law, there will be a one year grace period to comply

That being said, the Information Regulator’s office stated that POPIA will commence in the second half of 2020, after speaking at the International Conference on Computers, Privacy and Data Protection that took place in Brussels earlier this year. 

The roll-out of a comprehensive POPI compliance plan can take between six months and two years to finalise. So if you haven’t already — you’d best start working on it as soon as possible!

#3 What is Personal Information in terms of the POPI Act?

Personal information is data that can be used to identify a person. This includes, but is not limited to the following:

  • ID Number, 
  • Email Address, 
  • Telephone Number, 
  • Physical Address, 
  • Physical or Mental Health, 
  • Disability, 
  • Marital Status, 
  • Pregnancy, 
  • Religion/Beliefs/Culture, 
  • Educational/Medical/Financial/Criminal or Employment History, 
  • National/Ethnic/Social Origin, etc. 

#4 Who will be impacted by the POPI Act? 

To put it simply, just about all companies in South Africa will be affected, but in particular, those that deal with a large amount of personal information such as banks, insurance companies, medical aids, etc.

The biggest change is the introduction of restrictions for processing special types of personal information (including children’s data). All companies need to have systems in place to deal with personal information. 

#5 How Will it Affect Medical Practices?

The POPI Act will place an extra responsibility on healthcare professionals to monitor and self-report their own flow of personal information. This is especially important as the medical industry has a large amount of personal information in their possession. 

It’s natural for practitioners to collect personal information from their patients as they mainly use their data for diagnostic purposes and then for billing. The key will then be to keep the information safe from loss, damage, and unauthorised personnel as well as unlawful processing of this personal information. 

We have already covered the importance of backing up, using a cloud-based medical software, as well as the type of access each role should have in a practice. This will give you a better understanding and guideline in preparation for such measures. 

#6 What Happens if I Don’t Comply with the Act? 

Don’t underestimate the POPIA and don’t just see it as a burden, instead, try to view it as an opportunity to create your own data strategy that will guard your company/practice and your clients/patients. 

However, failure to comply to this act can lead to a variety of implications – these include: 

  • A complaint lodged with the Information Regulator, 
  • Receiving a civil claim for payment of any damages, 
  • Criminal prosecution – if convicted there could be a fine of up to R10 million or a prison sentence of up to ten years, or even both. 

#7 POPI Act vs GDPR? 

As we have mentioned at the beginning of this blog, the POPI Act is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR). They are similar in some ways. 

They’re similar in the sense that both lay down the law for processing and storing personal information and the rules for notifying third parties if there are security breaches. And yet, they differ from each other in terms of their security regulations:  

  • GDPR: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to risks represented by the processing and the nature of the personal data to be protected.”
  • POPI: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”


We’ve now covered the frequently asked questions about the POPI Act. You should now have a basic understanding of the new Act and you might have thought of a few ways to start implementing a data strategy in your business. 

A pro tip that we can advise you is to keep educating and empowering yourself on anything new that might affect your business/practice – this includes reading about it and investing in tools and/or software to assist you.