Getting Started With POPI

August 2, 2017

For South African based companies, the new Protection of Personal Information Act (POPI) is fast becoming a reality.

Consultants are driving this heavily and it seems that non-compliance could result in severe penalties for every transgression.

Your external board may even have requested that this new requirement is to become a priority on your list of governance items. IT along with your internal Audit & Risk department have been tasked to commence with this undertaking.

But how important is this really and how to approach it?


One of our IT Leader Mastermind groups recently tackled this question. Here is a summarised version of the outcomes.

The Mastermind Answer

Although there is no clarity on when POPI will become law, it is good business practice to attend to this proactively.

Eventually senior business leaders can be held personally liable for information breaches.

Generally, the POPI Act is a good thing as it forces businesses to start treating the handling of customer data as important.

A good first step is to classify all information assets (employee, client & supplier data) and broadly decide who should have access, for what purposes and for how long.

Only when this is in place, consider the technical aspects of how to implement these controls.

When it comes to POPI, nobody can ever be 100% compliant.  The question is rather: What is the amount of effort you have applied to safeguard any personal information you collect as part of doing business? As long as you have good policies as well as good controls in place, you should be covered. 

The last question is: Should this be a job for the IT department? General consensus is that IT plays a massive role in the process as they are ultimately responsible for the implementation, but they should work in close cooperation with the legal, audit and/or risk teams.

Some More Insights

  • POPI has to be supported from the top of the organisation, otherwise it just becomes another “grudge project” and is doomed to fail.
  • If you decide to tackle this topic, it is imperative that you set aside budget for it (both time and money). This is not just a quick filler between two bigger projects.
  • An important question to ask yourself at all times during the project: Why do we need the data in the first place and what are we doing with it? Should we collect it?
  • Implementation of POPI for the most part doesn’t have anything to do with technology.
  • First line of defense to ensure compliance: educate your staff on how to handle different types of information.

Pro Tips

  • Beware that privacy of information is NOT the same as security of information. Don't treat POPI as just a security concern.
  • But do consider ISO27001 and ISO 27002 during your POPI implementation as they are very complementary.
  • To quote from “The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.”

Other Links

About the author

Business Agility Coach | Abundance Thinker | Helping Mid-Market Companies Evolve by Using the Kanban Methodology
- As trained Industrial Engineer with close on 25 years' experience as IT Professional and Business Executive in the mid-market IT industry, Mathias Tölken loves to share his experiences and expertise with others.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}
Get the Newsletter and Never Miss an Insight

We know how busy it can get. We also know how critical it is to keep finding time to improve how we work. Which is why we prepare one monthly email with the most important new insights, tips and tricks and events you might find useful.