Understanding the Protection of Personal Information Act (POPIA) and its Applicability in South Africa

The Protection of Personal Information Act (POPIA) is a crucial legislation enacted in South Africa to safeguard the privacy and personal data of individuals. This article aims to shed light on the entities and individuals affected by POPIA, outlining their responsibilities and the impact of this act on data protection in the country. So, who does POPIA apply to?

Overview of POPIA

POPIA was signed into law on 26 November 2013, and its provisions came into effect on 1 July 2020, with the one-year grace period for compliance ending on 1 July 2021. The act aims to ensure that all personal information processed by organisations is handled responsibly, protecting individuals from the unauthorised use or disclosure of their personal data. POPIA is aligned with international data protection standards and brings South Africa in line with global best practices regarding privacy and data protection.

Applicability of POPIA

Who does POPIA apply to? POPIA applies to both public and private bodies that process personal information in South Africa. The act casts a wide net in terms of its scope, encompassing a broad range of entities and individuals. It is important to understand who falls under the purview of POPIA to ensure compliance with the act.

Private Sector: POPIA applies to all private companies, regardless of their size or industry, if they process personal information. This includes but is not limited to businesses, non-profit organisations, and professional practitioners.

Public Sector: All governmental departments, municipalities, and state-owned entities are subject to POPIA. It is vital for public institutions to implement measures to protect personal information and ensure compliance with the act.

Data Subjects: POPIA provides individuals, referred to as “data subjects,” with certain rights and protections concerning their personal information. These rights include the right to access their data, request corrections, and object to the processing of their information for direct marketing purposes. For a deeper understanding of what constitutes personal information under the Act, see our article on the POPI Act in South Africa.

The Role of the Information Regulator

The Information Regulator is the independent body established under POPIA to monitor and enforce compliance. Since becoming fully operational, the Regulator has taken an increasingly active enforcement stance. Notable actions include issuing R5 million administrative fines against the Department of Justice and Constitutional Development (following a ransomware attack that compromised personal information) and the Department of Basic Education (for non-compliant processing of learners’ personal data). These enforcement actions signal that non-compliance carries real consequences for both public and private bodies.

Responsibilities and Impact

Under POPIA, all organisations and individuals processing personal information are required to adhere to certain principles and take appropriate measures to protect data. Some key responsibilities include obtaining informed consent, only collecting necessary information, and implementing security safeguards to prevent data breaches.

Non-compliance with POPIA can result in severe penalties, including administrative fines of up to R10 million and criminal prosecution in certain cases. Organisations found guilty of contravening the act may face reputational damage and legal consequences.

POPIA has had a significant impact on businesses and individuals in South Africa. Organisations have had to revise their data protection policies, update consent forms, and implement robust security measures to ensure compliance. Data subjects now have greater control over their personal information, fostering a culture of transparency and accountability. Employers, in particular, must take care when processing employee data — for more on this, see our guide to the application of POPIA in the workplace.

2025 and 2026 Regulatory Updates

In January 2025, the POPIA Regulations were amended, with changes gazetted in April 2025. Key updates include:

  • Enhanced data subject rights: Data subjects may now object to the processing of their personal information at any time during office hours, removing previous procedural barriers.
  • Correction and deletion requests: Data subjects can request correction and deletion of inaccurate, irrelevant, excessive, incomplete, or unlawfully obtained personal information.
  • Mandatory online breach reporting: The Information Regulator introduced an e-Portal for reporting security compromises, which is now the mandatory reporting tool for both private and public organisations.
  • Administrative fine arrangements: Responsible parties may now arrange with the Regulator to settle administrative fines in instalments.

More recently, the Information Regulator’s Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties came into force on 6 March 2026. These binding, sector-specific rules place additional safeguards on healthcare providers, medical schemes, insurers and other responsible parties that process health-related personal information, underlining that POPIA’s reach continues to deepen for organisations handling sensitive data. Compliance is monitored and enforced by the Information Regulator.

These amendments reinforce the importance of ongoing compliance and proactive data governance. Organisations operating in the digital space should also be aware of the interplay between POPIA and the Cybercrimes Act, which addresses related obligations around data security and cybercrime reporting.

Conclusion

In a nutshell, who does POPIA apply to: The Protection of Personal Information Act (POPIA) applies to a wide range of entities and individuals in South Africa, both in the public and private sectors. Adherence to POPIA is crucial to protect personal information, promote responsible data processing, and ensure the privacy rights of individuals are upheld. With the Information Regulator now actively enforcing the Act and the 2025 regulatory amendments expanding data subject rights, compliance is more important than ever.


Updated 30 June 2026 — Added the Information Regulator’s Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, which came into force on 6 March 2026 and impose additional safeguards on healthcare providers, medical schemes and insurers processing health-related personal information. POPIA’s applicability, the R10 million administrative-penalty ceiling and the 2025 Regulation amendments were confirmed current.