With the full implementation of the Protection of Personal Information Act (PoPIA) creeping closer, you can’t afford not to get your affairs in order. However, this is no ordinary one-size-fits-all regulation. Get to know the basics, identify the gaps in your company and put only those measures in place that will mitigate the risk to your business and clients.

“Vinpro and our affiliates Vititec and FarmMS are currently on a journey towards making PoPIA a part of our daily operations. Through this we’ve realised the importance of this Act to ensure that all businesses in South Africa manage personal information in a lawful and responsible manner. We encourage our members to follow suit,” says Paiter Botha, Vinpro manager: compliance and special projects.

PoPIA applies to any person or business of any size or nature that holds or processes personal information on any person(s).

In essence, PoPIA aims to protect any person’s Constitutional right to privacy. “You wouldn’t want someone to share or process your own personal information in an irresponsible manner. The same applies to potential, current or former employees, clients, producer members or any other persons you collect, process or retain or destroy personal information for at any time,” says Dr Barbara van Heerden of Pétanque Consultancy who is facilitating Vinpro’s PoPIA compliance.

“Internationally, we’ve seen a rise in awareness and legislation protecting privacy and confidential information, as data hacks and leaks of confidential information come to light. An example is the European Union’s General Data Protection Regulation (GDPR),” said Anya George, an associate at Van der Spuy & Partners, at a recent Vinpro information session for cellars. While South Africa is still lagging behind other countries, it is encouraging that PoPIA is aligned with these international standards.

The background

PoPIA has been around since 2009, when the Bill was tabled at Parliament. Since then, all due processes were followed, leading to it being enacted in November 2013, with certain sections of the act already coming into effect from April 2014. The Information Regulator was appointed in September 2016, an independent body established to, among others, monitor and enforce compliance by public and private bodies with the provisions of the Promotion of Access to Information Act (PAIA) and the Protection of Personal Information Act (PoPIA).

Once the Regulator has finished setting up its office, PoPIA will be fully enacted and businesses will have 12 months to comply.

No rules, just principles

What makes PoPIA unusual is the fact that it is a principle-based regulation. This means that the context and interpretation of the regulation will determine its application. For example, a principle-based regulation would state, “Don’t drive faster than is reasonable and prudent in all circumstances”, whereas a rule-based regulation would stipulate “Don’t drive faster than 60 km/h in an urban area”. “It’s not about ticking boxes. Organisations will need to justify to the Regulator why its privacy-related risk mitigation measures are reasonable and prudent,” says Barbara.

Personal information is categorised into 48 data elements, ranging from a person’s name and contact details up to sexual preference, religion, fingerprints, as well as a person’s views or opinions, or views and opinions that other people have of that person.

The following 8 conditions serve as a guideline when formulating privacy-related policies and procedures. (Interpretations by Pétanque and Van der Spuy & Vennote)

1. Accountability:
Businesses are accountable for collecting, processing, disseminating, retaining and destroying personal information and can be held liable if this is not done in a lawful manner.

2. Processing limitation:
Collect personal information directly from the person involved, get their voluntary, informed and explicit consent to process their information and only process information in accordance to the purpose for which it was collected.

3. Purpose specification:
Clearly define and communicate the purpose for which you collect and process data to the person involved, don’t retain the information for longer than is required and destroy it thereafter in a responsible manner.

4. Further processing limitation:
If personal information is to be processed further for an additional purpose other than the original purpose for which it was obtained, then additional consent would need to be obtained from the data subjects.

5. Information quality:
Businesses must take reasonable practicable steps to ensure that the personal information collected is complete, accurate and not misleading, and updated as necessary.

6. Openness:
Inform the person involved what data elements you’re collecting, what it will be used for, that they have a choice not to provide it and what the implications would be if they don’t. Also the source of any other data not provided by them.

7. Security safeguards:
Have sufficient safeguards in place to prevent the loss, damage, unauthorized destruction, unlawful access or processing of personal information. This applies to both physical and electronic records and needs to be continuously monitored. Also ensure that any third party that may have access to your data have the sufficient data security safeguards in place.

8. Data subject participation:
The person whose data you’re holding (the data subject) needs to be informed of processes they can follow to find out or amend the information you and any third parties who process personal information on your behalf, where it is stored, how long it will be retained for and how it will be destroyed if no longer relevant. Furthermore data subjects need to be informed of a complaints process should they wish to complain about how their personal  information is processed by the accountable party.

“We prefer talking about operationalising PoPIA instead of complying with it. It’s about turning the theoretical aspects of the 8 conditions into a reality by enhancing business processes, protocols and daily tasks and ultimately creating a culture of responsible information management among employees. All the while taking the nature of your business and clients/customers into account,” says Barbara.

Don’t crack a nut with a sledgehammer!

PoPIA requires businesses that deal with personal information to draft a Privacy Policy. It also requires them to provide a Portfolio of Evidence proving that they’ve given due consideration to the privacy risks and mitigations as it pertains to their particular organisations. This can range from training and awareness sessions and campaigns among staff, to mapping processes, identifying gaps and putting protocols and processes in place to mitigate these risks.

“Context remains key. Before tackling this, it’s important to weigh up the probability and impact that a breach would have on the person(s) involved, as well as your business. Would it pose a reputational, legal or civil risk if your data ends up in the wrong hands?” says Barbara. Financial and medical information would, for example be much more sensitive than general contact details, and would therefore need to be protected by more stringent protocols, processes and security safeguards.

“Not only is PoPIA compliance a necessity in terms of legislation; it improves business processes and is the right thing to do,” says Barbara.

Want to learn more?

Follow Pétanque’s #PrepForPoPIA blog page for more information, Q&A’s, tips and templates.
Also read more articles on PoPIA practicalities on Van der Spuy & Partners’ website.

What data does Vinpro have on you?

Should you wish to enquire about the specific personal information that Vinpro has on record of you as a member, if you would like to amend any of this information, or would like to submit a complaint about the way in which your information was processed, please contact us on tel: +27 (0) 21 276 0458 or e-mail:


Go Back