8 Principles of POPI

Consulting Ngelaw todayJanuary 8, 2018 18607 1 5

share close


Being fully compliant with Protection of Personal Information Act no. 4 of 2013 (POPIA) there are 8 Principles defined within the Act which must be addressed to be compliant. These are well-accepted attributes which are adopted throughout South Africa as the guidelines for a successful POPIA implementation.

Principle 1: Accountability

The organisation must appoint a party (Information Officer) who will be responsible for ensuring that the information protection principles within POPIA and the controls that are in place to enforce them are complied with.

Principle 2: Processing Limitation

The second principle deals with the lawfulness of processing, minimality of information collected, consent, justification and objection, and the collection of personal information directly from the data subject.

Principle 3: Purpose Specification

The third principle provides that personal information must be collected for a specific purpose and the data subject from whom the personal information is collected must be made aware of the purpose for which the personal information was collected.

Principle 4: Further processing limitation

The fourth principle regulates the further processing of personal information. If a responsible party further processes personal information, such processing must be compatible with the purpose for which the information was collected in principle 3.

Principle 5: Information quality

The fifth principle provides that the responsible party must take reasonable steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date. In so doing, the responsible party must take into consideration the purpose for which the personal information was collected.

Principle 6: Openness

The sixth principle provides that the responsible party must be open about the collection of personal information by notifying the Regulator if it is going to process personal information and, if personal information is going to be collected, the responsible party must take “reasonably practicable steps to ensure that the data subject has been made aware that his or her personal information is going to be collected. The responsible party should for example, take reasonable steps to make the data subject aware of its name and address, and the purpose for which the personal information being collected.

Principle 7: Security Safeguards

The seventh principle provides that the responsible party must ensure that the integrity of the personal information in its control is secured through technical and organisational measures.

Principle 8: Data Subject Participation

The eighth principle provides that data subjects have the right to request that a responsible party confirm (free of charge) whether it holds personal information about the data subject, and he or she may also request a description of such information.


The consequences of non-compliance are significant, and may even result in the loss of a licence to trade (where applicable). Even if the penalties are paid, the loss of reputation is huge and this can have a devastating effect on any organisation. According to POPIA the organisation must first inform the Information Regulator and then also inform every person on that might be affected when there was an information/data loss.

The following are the consequences for not being complaint:

  • Administrative penalties
    • Fines up to R10 million and/or 10 years in jail per incident.
  • Enforcement notices
    • Stop processing personal information.
  • Civil Action
    • May be bought on by data subjects for “distress” pay out millions in damages to a civil claim action.
    • Suffer reputational damage.
  • General concerns
    • Loss of reputation and subsequent loss of customers and possible failure of the

How Can We Assist You?

Naveg assist organisations to comply with the Protection of Personal Information, POPI Act, EU GDPR, and other privacy requirements. We adopt a holistic and systematic approach to privacy compliance.

Although privacy compliance poses challenges, it’s an opportunity for organizations to take an intelligent and automated approach to data privacy governance and compliance. Operationalizing data privacy helps you stay competitive and agile as digital transformation initiatives expose more data for analysis and other processes.

POPI Act is going to be enforceable from July 2021 – meaning fines & penalties will be given to both public & private organisations found to be non-compliant.

We strive to save cost within the client’s enterprise operation by re-using the existing enterprise system application, unless if the desired goal cannot be realised with the existing system solution.

Our team includes Legal specialists, Chartered Accountants, IT specialists, ISO 27001 Lead implementers and Assessors, Privacy specialists, Process mapping specialists, Security analysts, Testers, Internal Audit specialists and Forensic specialists ready to assist your organisation with POPIA and GDPR compliance

Contact us today for a free initial assessment of your organisation.

Naveg Technologies

Tel: + (27) 011 678 0653/ +27 78 178 3979

email: [email protected] 

Website: www.naveg.co.za

Twitter: @navegtech / Facebook: @navegtech

Written by: Ngelaw

Tagged as: , , , .

Rate it
Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *