enactedZAEffective July 1, 2021

Protection of Personal Information Act (POPIA)

Complete compliance guide for companies with <200 employees. Everything you need to know about POPIA requirements, deadlines, and penalties.

DSAR Deadline

30 calendar days

+ 30 days extension

Max Penalty

ZAR 10,000,000/violation

Administrative fines up to ZAR 10 million. Criminal offences carry imprisonment up to 10 years for serious violations such as obstruction of the Information Regulator. The Information Regulator can also issue enforcement notices and award compensation to data subjects.

Threshold

No threshold

Est. Cost

$5,000 – $20,000

6-16 weeks

Mid-Market Compliance Guide

POPIA applies to all organizations processing personal information of South African data subjects, with no size or revenue threshold. The Information Officer registration requirement is mandatory and often overlooked by foreign companies. PAIA (Promotion of Access to Information Act) procedures apply alongside POPIA for access requests.

Key Requirements

8 conditions for lawful processing (accountability, purpose limitation, etc.)
Appoint an Information Officer and register with Information Regulator
Data breach notification to Regulator and data subjects
Obtain consent for processing of special personal information
Cross-border transfer only to countries with adequate protection
Maintain records of processing activities

Enforced by: Information RegulatorOfficial site

Consumer Rights

Right of Access (Section 23)

Right to Correction or Deletion (Section 24)

Right to Object to Processing (Section 11(3))

Right to Submit Complaint to Information Regulator

Right Not to Be Subject to Automated Decision-Making

Business Obligations

1.Register Information Officer with the Information Regulator
2.Respond to access requests within 30 days
3.Notify Regulator and data subjects of security compromises
4.Implement appropriate security safeguards (Section 19)
5.Use PAIA procedures for access request processing

Exemptions

•Processing for personal or household purposes
•Processing by or on behalf of a public body for national security
•Journalism purposes (limited exemption)
•Judicial functions of a court or tribunal

Related Privacy Laws

GDPR

General Data Protection Regulation

Privacy Act

Privacy Act 1988

Recommended Compliance Tools

BigID

AI-powered data intelligence for privacy and security

POPIA data classification and mapping

TrustArc

Enterprise privacy management with built-in regulatory intelligence

POPIA compliance program management

Securiti

AI-powered data command center for privacy, security, and governance

POPIA data protection compliance automation

Usercentrics

Enterprise consent management with Google-certified CMP status

POPIA consent management

CookieYes

Affordable cookie consent and compliance for small businesses

POPIA cookie compliance

Browse all compliance tools

Get a mid-market compliance checklist for POPIA

We'll send you a practical, step-by-step checklist tailored for companies with <200 employees. No spam, unsubscribe anytime.

See how DPAs enforce POPIA in practice

Real fines, real violations, real lessons. Browse our enforcement database to understand what gets penalized under POPIA.

Browse Enforcement Actions

Disclaimer: This is general information, not legal advice. Consult a qualified attorney for your specific situation. Laws and regulations may change. Last reviewed: 3/27/2026.

Read the official text of POPIA