They are simple and clear to understand. Don’t miss your opportunity to comment.

Earlier this year, during a stakeholder briefing, South Africa’s Information Regulator chairperson promised to have draft Protection of Personal Information Act regulations out before the end of 2017.  She has kept her word: draft POPIA (the Information Regulator prefers this acronym) regulations were published on Friday 8 September 2017.

POPIA’s main objective is to protect people’s personal information.  It was passed into law in 2013, but is not yet fully effective.

The draft regulations set out, in more detail, steps and procedures that are required in order to comply with POPIA.  What is clear from the draft regulations is that they are intended to be simple and uncomplicated.  This is, in our view, an excellent approach: considering South Africa’s demographics, the last thing we need is a convoluted process that makes it difficult for the average person to protect their rights.

The draft regulations expand on and regulate a number of administrative and procedural steps and obligations that POPIA imposes.  These steps include:

  • how to object to the processing of personal information;
  • how to request the correction, deletion or destruction of personal information;
  • the duties and responsibilities of Information Officers;
  • how to apply for a code of conduct
  • how to request a person’s permission to send them unsolicited direct marketing;
  • grievance or compliance submission processes; and
  • how to request the Information Regulator’s assistance as a conciliator during an investigation.

In our view, organisations should focus on those aspects related to the duties and responsibilities of Information Officers.  Regulation 4 sets out these duties, the first of which is to ensure that a compliance framework is developed, implemented and monitored.  This is where organisations that are serious about compliance, should start.

POPIA is not effective yet, and will give affected parties one year to comply, from the date it becomes fully effective.

A copy of the draft regulations is available on the Information Regulator’s website.  Comments on the regulations will be accepted until 7 November 2017.


Lucien Pierce is a partner at PPM Attorneys and has been practising for 20 years.  He focuses on the protection of personal information, information security, telecommunications, media and technology law.