Skip to content


We assist organisations with a full bouquet of compliance services in terms of both the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA).

We assist you in identifying compliance gaps and risks and preparing POPIA and PAIA-compliant policies.

Template Policies

Information governance policies (which includes POPIA and PAIA compliance)

Privacy policies

Cookies policies


Terms of use for websites

Consent forms

Organisational Policies

Template compliance policies adapted to organisational specifications

Compliance Audits

Impact assessments and compliance reviews

Gap analysis

Risk identification

Remedial guidance and compliance

Training Workshops

In-person and online

Train-the -trainer

Training for key personnel

POPIA Explained: one-day workshop

Tailored workshops

Advisory Services

Compliance checklists

Impact assessment checklists

Ad hoc advice

Cross border data transfers

Promoting the lawful processing of data

ALT FaviconCircle


The Protection of Personal Information Act 4 of 2013 (POPIA) is the comprehensive data protection legislation enacted in South Africa. POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information.

Responsible parties must be POPIA-compliant by 1 July 2021.
ALT FaviconCircle

Advising on cross-border data transfers


Data protection in South Africa

POPIA is a South African domestic law. As a general position, POPIA applies to the processing of personal information entered in a record by or for a responsible party that is domiciled in South Africa. However, POPIA may also apply to a responsible party not domiciled in South Africa where that responsible party makes use of automated or non-automated means within South Africa.

POPIA also provides for certain exclusions and exemptions, including for purely personal or household activities, for personal information that has been de-identified that cannot be re-identified again, or for journalistic, literary or artistic purposes.

Conducting POPIA compliance audits

ALT FaviconCircle


What you need to know

POPIA sets out eight conditions for the lawful processing of personal information:

  • Condition 1: Accountability (section 8) – that the responsible party must ensure that the conditions for the lawful processing of personal information are complied with at the time of determining the purpose and means of the processing, and during the processing itself.
  • Condition 2: Processing limitation (sections 9-12) – that personal information must be processed lawfully and in a reasonable manner, and only if it is adequate, relevant and not excessive given the purpose for which it is processed.
  • Condition 3: Purpose specification (sections 13-14) – that personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party, and should not be retained for longer than is necessary to achieve that purpose.
  • Condition 4: Further processing limitation (section 15): that further processing of personal information should be compatible with the purpose for which it was collected.
  • Condition 5: Information quality (section 16): that the responsible party is required to take steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
  • Condition 6: Openness (sections 17 and 18): that the responsible party is required to take reasonably practicable steps to ensure that the data subject is aware of, amongst other things, what personal information is being collected, the source of the information, the purpose for which it is being collected, and the name and address of the responsible party.
  • Condition 7: Security safeguards (sections 19-22): that the responsible party is required to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures, having regard to generally accepted information security practices and procedures.
  • Condition 8: Data subject participation (sections 23-25): that a data subject has a right to request a responsible party to confirm whether personal information is held about the data subject, and be provided with the record or a description of the information held.  A data subject may further request a responsible party to correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

POPIA further sets out substantive requirements for, amongst other things, direct marketing (section 69); the use of directories (section 70); automated decision-making about data subjects (section 71); and the circumstances under which personal information may be transferred outside of South Africa (section 72).

Certain processing may only take place subject to prior authorisation from the Information Regulator (sections 57-59). This includes, for instance, where information is processed for the purposes of credit reporting, or where special personal information or personal information relating to children is being transferred to a third party in a foreign country that does not provide an adequate level of protection. It is an offence under POPIA to fail to notify the Regulator as required.

These sections of POPIA are not in force as yet.

ALT FaviconCircle

Advising on data protection in multiple jurisdictions

Training key personnel on POPIA

ALT FaviconCircle


Data protection in Africa and Europe

Read our overview of the GDPR here.

The General Data Protection Regulation (GDPR) is the binding law that will regulate data protection across the European Union from 25 May 2018. The GDPR both has extraterritorial application, and regulates the transfer of personal information to third countries outside of the EU. Practically, this may require organisations based outside the EU to ensure compliance with the GDPR if they want to do business within the EU.

While POPIA is substantially similar to the GDPR, it is not identical. Importantly, the GDPR includes certain key protections that are not contained in POPIA. This includes:

  • Consent: The GDPR contains stronger, clearer conditions for consent. It expressly requires that consent must be freely given, and be presented in a manner that is clearly distinguishable from other matters, in an easily and accessible form, using clear and plain language.
  • Right of access by data subjects: The GDPR includes enhanced access rights for data subjects, including that in circumstances where personal information is transferred to a third country outside the EU, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.
  • Right to erasure / right to be forgotten: The GDPR more expressly defines the ambit of the right to erasure (also known as ‘the right to be forgotten’), including the steps to be taken to give effect to the right and the balance to be taken into account with, for instance, the right to freedom of expression and information.
  • Data portability: The GDPR introduces data portability, which relates to the right for a data subject to receive the personal information that they have provided in a structured, commonly used and machine-readable format, and the data subject’s right to transmit that information to another data controller.
  • Privacy by design: The GDPR includes privacy by design as an express legal requirement, which requires appropriate organisational and technical measures to be implemented both at the time of the determination of the means for processing and at the time of the processing itself. These measures must be designed to implement data protection principles in an effective manner, and to integrate the necessary safeguards and protect the rights of data subjects.
ALT FaviconCircle

Let’s get you POPIA compliant


Tell us a bit about your needs and we’ll contact you ASAP