Ten POPIA mistakes to check (so you don’t wreck) your business


When interviewing co-author of “Over-Thinking The Protection of Personal Information Act” we hardly expected it to be a laugh.

“We are campaigning to have ‘POPIA paralysis’ and ‘POPIA fatigue’ recognised as syndromes.”
Elizabeth de Stadler

So you’re tired of POPIA discussions, but why should you care? There are two big reasons that really stand out:

  1. Sustainable client relationships: roughly 32% of people have already switched companies or providers over their data policies or data sharing activities. This demographic is an important one because they are younger, they do more of their shopping online, they see themselves as early tech adopters and they are frequent users of social media.
  2. Fines might not cost you money, but compliance will save it! Privacy has you covered by reducing sales delays, mitigating losses caused by data breaches, and achieving operational efficiency through data controls.

“No organisation has compliance as one of its strategic objectives. It is perceived as a pain, not a gain. So we realised we would get boards to get behind a POPIA programme by speaking their language – money.”

That is not to say that making POPIA both accessible and urgent was easy. Elizabeth says that writing this book was hard for a few reasons. Firstly, the POPIA is new, so this book is full of some (educated) guesses, which we have highlighted. But secondly, the POPIA is actually old! The research that underpinned the first draft was published in 2005 and POPIA was enacted in 2013. Researching this book was a bit like an archaeological dig to determine what the drafters were thinking back then. Lastly, the POPIA is complex. It is comprised of a list of different principles that are linked in the most complicated way. Studying these principles as separate topics leads to confusion and some very bad advice. Hence, the book is not structured around the eight principles of the lawful processing of personal information. In fact, when I brought it up, she actually shouted at me. First, I was afraid, then I was petrified… and then I was interested.

Instead, it is made up of the following chapters:

  • POPIA’s place in the grand scheme of governance
  • The purpose and interpretation of POPIA
  • The application and scope of POPIA
  • Who is held accountable for POPIA compliance
  • Information security management
  • Processing must be for a lawful purpose
  • Special personal information and children’s personal information
  • When the Information Regulator must be approached for prior authorisation
  • The principles of minimal processing and information quality
  • Collecting and creating personal information
  • Notifying data subjects
  • Further processing of personal information (secondary use)
  • Sharing personal information between organisations
  • Transborder information flows
  • Profiling and automated decision-making
  • Direct marketing
  • Records management
  • Data subject rights
  • Enforcement of POPIA
  • How to implement a POPIA programme

“Additionally, in order to combat the almost inevitable paralysis, we also included ‘key points’,” Elizabeth points out, to my delight. “These nuggets are the things that are (a) most important to understand and (b) most commonly misunderstood.”

To combat the tedium, the authors drew inspiration from their favourite people, books, movies and musicians. While this makes it a fun read (something we never thought we could say about this topic) it also makes receiving the information cognitively easier across your organisation.

And – always in the spirit of brevity – we have Elizabeth’s top 10 mistakes you should avoid making when getting compliant with the Protection Of Personal Information Act:

  1. Stop with the consent! Still #1.
  2. No, it is unlikely that you get fined R10 million or go to jail. Learn how enforcement works, it is in the second half of the Act. Just keep going.
  3. The fine is not the scary part anyway! See up top.
  4. Publicly available personal information is still protected.
  5. Telemarketing is not electronic direct marketing… sorry.
  6. Copy-paste privacy notices from the Internet.
  7. Learn to archive. You mustn’t just delete personal information.
  8. There is no such thing as a POPIA certificate.
  9. There is no such thing as a POPIA manual.
  10. There is no checklist. Learn the principle-based balancing act.

Are you ready for the last POPIA book you’ll ever need? Check it out here:
Over-Thinking The Protection of Personal Information Act

Not ready to commit? As a treat we are offering all readers the opportunity to sample a free chapter on direct marketing – we know you’ll be hooked!

Elizabeth de Stadler describes herself as a rehabilitated lawyer, plain language fanatic, (extremely) amateur skateboarder, humour researcher, and someone who knows nothing about privacy law (particularly POPIA).

Join JUTA IN conversation

Recent posts