The Protection of Personal Information Act (or POPI Act) is South Africa’s equivalent of the EU GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons). The POPI Act does not stop you from processing and does not require you to get consent from data subjects to process their personal information. Whoever decides why and how to process personal information is responsible for complying with the conditions. There are eight general conditions and three extra conditions. The responsible party is also responsible for a failure by their operators (those who process for them) to meet the conditions.
 
The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect account numbers.
The biggest impact is on organizations that process lots of personal information, especially special personal information, children’s information, and account numbers. The most affected industries are financial services, healthcare, and marketing.

TABLE OF CONTENT
1. About The Course
 
2. How This Training Material Should Be Used?    
 
3. Introduction to the POPI Act and Personal Information  
 
4. The 8 Conditions for lawful processing of personal information    
 
5. POPI Implementation in an organization    
 
6. The Implications of POPI in Direct Marketing  
 
7. General exclusions in terms of POPI    
 
8. Trans border Information Flows    
 
9. The impact of the POPI Act on your organization    
 
10. Risks and consequences of non-compliance with the Act