The Protection of Personal Information Act (POPIA or the POPI Act) is a piece of legislation that governs the law of data protection and privacy in South Africa. The act was passed to regulate the right to privacy, as enshrined by section 14 of the Constitution of South Africa, and would work in conjunction with the Promotion of Access to Information Act. The POPI Act applies to all persons and organizations within the borders of South Africa, and extends to visitors and illegal immigrants. The act came into force on July 1, 2020, which commenced a one-year grace period during which all South African entities were expected to become compliant. The grace period ended on June 30, 2021, with the commencement of the act on July 1, 2021.

The POPI Act sets out several core obligations. Some of the key requirements include:

• Personal information can only be processed with the consent of the data subject or if it is necessary for the conclusion or performance of a contract that a data subject is a party to, or if it is required by law, or it protects a legitimate interest of a data subject.
• The POPI Act requires responsible parties to take appropriate, reasonable, and technical measures to safeguard the integrity of personal information and prevent loss, damage, or unauthorized access to or destruction of personal information.
• The POPI Act requires responsible parties to notify data subjects and the Information Regulator of any security breaches involving personal information.

Penalties under the POPI Act include fines of up to R10 million and a prison sentence of up to 10 years for non-compliance. The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects.