By now, most organisations are aware that the Protection of Personal Information Act (POPIA) 4 of 2013 ("the Act") is effective and requires all businesses which process personal information of persons to comply with the Act's eight conditions for lawful processing, by 1 July 2021. How do you go about this daunting task of becoming compliant? KISCH IP will be publishing a series of articles on becoming compliant with POPIA, with the aim of providing insight into the Act and tools required to prepare the necessary policies.

Before any policies can be drafted, a business needs to identify what personal information it is processing, the various mediums of processing it can undertake, as well as why and when it is processing the personal information. They will also need to identify whether any of the personal information constitutes special person information.

Remember that personal information and processing is widely defined in the Act. Personal Information refers to any information that is capable of identifying a living person or existing juristic person, including contact details, biographic details, medical information, financial information, criminal information, employment information, educational information, biometric, opinions, preferences and geolocation. If an organisation processes any information pertaining to minors, or a person's religious, criminal behaviour, political beliefs, biometric information, race, health or trade union membership, they are processing special person information and compliance with each condition becomes more onerous.

Any operation or activity or any set of operations, whether by automatic means or not including the use, collection, communication, organisation, decryption, storage, deletion, transfer, dissemination, updating, modifying, merging, linking and copying of the above personal information has been defined by one word in the Act - 'processing'.

If an organisation is processing personal information and/or special personal information, it will need to ascertain whether any exemptions are applicable to continue processing the personal information. In terms of the Act, whenever you intend to process personal information for statistical, historic or research purposes, you need not comply with the eight conditions for lawful processing of personal information. However, note that compliance with the Act is still relevant for the actual collection and receipt of the personal information that is capable of identifying a person and that will be used for statistical, historic or research purposes, unless the personal information is encrypted and when decrypted incapable of identifying a person.

Once an organisation has determined that it is processing personal information of a living natural person and/or existing juristic person, they will then have to comply with the eight conditions for lawful processing, the first being, accountability i.e., identifying who is processing the personal information in or on behalf of the business.

Should you require any further information or assistance in complying with POPIA or have any further questions, then please do not hesitate to contact our data protection department at or

Getting compliant with the Protection of Personal Information Act (POPIA)

A series of compliant events - Part 2 - who is processing the personal information?

Part 3 - process limitation and specification (include retention and destruction policy here)

Part 4 - Further processing limitation

Part 5 - Information quality, openness and participation

Part 6 Security safeguards

Part 7 cross border transfer of PI

Part 8 appointment of an information officer

Part 9 direct marketing - consumer database

Part 10 penalties and training, checklist compliance

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.