top of page
  • Robyn Davie


Updated: Dec 14, 2021

Protecting personal information within organisations

The Protection of Personal Information Act (the POPI Act) is fully in force effective 1 July 2020, having been passed by parliament seven years ago. The Act, which is regulated by the Information Regulator, will be of assistance to consumers whose personal information has been abused, or in circumstances where a company holding such information does not protect it sufficiently or demands personal information which is not necessary for the purpose for which it has been requested. The legislation aims to promote the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights, such as access to information. The Act is fundamental in safeguarding personal information and thus protecting individuals (and where applicable, juristic persons) against data breaches and theft of personal information.

The POPI Act aims to ensure that companies have adequate security measures in place when dealing with or processing personal information. Companies should be aware of what and how personal information is collected, stored, processed, and destroyed within their organisations and of their obligations in terms of the POPI Act in dealing with such information and formulating strategies to protect it. Companies will need to proactively manage their customer databases a lot more effectively, and keep records of where, how, and when the personal information was initially obtained and how it is used.

Complying with the POPI Act will require an analysis of all personal information collected or held by the organisation, where it was obtained and what the company does with it. Companies will need to ensure that they only collect, use, store, delete and otherwise handle personal information in ways permitted by the POPI Act and that the information is appropriately protected from unauthorised access or loss. The fines and penalties to which companies may be exposed vary depending on the offence, with a maximum penalty of 10 years in prison or a R10m fine.

Furthermore, while working from home has recently become the norm in the wake of the current health crisis, it is critical that organisations consider the impact which their working arrangements have on how the company secures personal information. Losing data to fraud can be more costly than the loss of cash or other assets and organisations therefore need to ensure data security, safeguard intellectual property and guard against cyber-fraud, and in order to do so, they need to stay informed of rapidly advancing technologies, emerging business trends and the methods employed by increasingly sophisticated cyber criminals. Moreover, companies need to be aware of the ways data can be stolen by employees and other perpetrators, identify various potential sources of data loss, both internal and external, implement appropriate data security measures and be prepared in the event of a data breach.

Nortons offers Forensic Services and has the expertise inhouse to assist organisations in matters related to fraud, with a team of qualified investigators to perform forensic audits and assist with the crucial strategies needed to mitigate the threat of malicious data theft and minimise the risk of inadvertent data loss.

Should you require additional information, please contact Anthony Norton on 082 452 7336 or by email on; or Tendai Kanongovere on 073 172 0800 or by email on


Switchboard: +27 (0) 11 666 7560 l Fax: +27 (0) 86 600 5529 l l 135 Daisy Street, Sandton, Johannesburg l P O Box 41162, Craighall, 2024, South Africa For queries regarding this newsletter, please contact Anthony Norton at © Copyright 2020 Nortons Inc


bottom of page