Maryna holds the BA, LLB, LLM degrees and is a Director at the Cape Town branch of STBB. She is an admitted Attorney, Notary Public, Conveyancer and Insolvency Practitioner with many years of experience in the fields of property law, conveyancing and the laws relating to corporate compliance (especially in respect of the FICA and POPIA laws). Up until 2018 she was also head of the firm’s national marketing portfolio. She is a seasoned public speaker and presenter, both in person and online. She prepares text for the majority of STBB’s internal and external publications and is editor and co-writer for two pivotal publications in the South African real estate industry – the ABC of Conveyancing (JUTA) and Delport’s South African Property Law and Practice (JUTA).

Though of the Week | To all the ‘scares’ out there: Add POPI Act?

Lees in AfrikaansInguqulelo ngesiXhosa

South Africa’s data protection law, the Protection of Personal Information Act 4 of 2013 (POPIA), was signed into law in 2013. It was enacted to give effect to the constitutional right to privacy which includes the right to be protected against the unlawful collection, retention, and dissemination of data. Our thought of the week addresses three of the often-asked questions in respect of POPIA. 

  1. What is the purpose of POPIA?
  2. What is considered personal information?
  3. When will POPIA be implemented?

Ever since, business has been advised that POPIA’s coming into full operation was imminent, but it is yet to happen. 

1.     What is the purpose of POPIA?

The Act aims to promote the protection of personal data “processed by public and private bodies” and to establish “minimum requirements” for processing personal data. It furthermore empowers the Information Regulator “to perform certain duties and functions” in terms of POPIA in respect of the issuing codes of conduct, protecting the rights of persons as regards unsolicited electronic communications and automated decision making and to “regulate the flow of personal information across the borders of the Republic”. Ultimately, businesses will have to comply with the POPIA requirements in respect of the data they collect and how they use such data. 

2.     What is considered personal information?

The Act defines personal information as any data that can be used to identify a person. In short, it is “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”

3.     When will POPIA be implemented?

In an interview, the Information Regulator indicated that they have asked the President to commence POPIA “by the beginning of the financial year”. The Government’s financial year runs from 1 April to 31 March. This means if the Act is implemented, all parties will have a grace period of one year resulting in POPIA’s effective compliance deadline being 1 April 2021 (if it comes into effect 1 April this year), some eight years after its enactment.

Having to deal with the COVID-19 pandemic, the financial impact of Eskom, and SAA’s problems, commentators are, however, not convinced that 1 April will be the date for coming into operation. Nevertheless, this should not translate into procrastination. POPIA is (just) good business practice in operation, requiring proper data management processes: It is good business sense to know what data you have, why you have it, and what you do with it.

Whether it comes into effect 1 April or later this year, do what is reasonably practicable in your business to start aligning your practices with the requirements of the POPIA, appoint an Information Officer, train your staff, put policies in place, because ultimately it is coming.

For assistance to become POPIA compliant, contact our POPI Hub at


For the best legal advice and personalised service, let's talk
Subscribe to our monthly newsletters, subscribe