The Protection of Personal Information Act (PoPIA) commenced on 1 July 2020 with a grace period of twelve months meaning that official enforcement will commence on 1 July 2021. PoPIA is the latest major data privacy law in the world, modelled alongside the EU’s General Data Protection Regulation (GDPR).

The Act has altered the management of personal data amongst businesses in South Africa. Thomas Vollrath, 1-grid CEO states that “initially we were concerned about our small to medium sized enterprises as the new regulation may be intimidating as a result of the implications of non-compliance”.

Those who do not comply could suffer a fine of R1 million to R10 million, imprisonment of one to ten years or be required to financially compensate the data subjects for the damages that they have suffered as a result of non-compliance. Vollrath adds, “these implications are large and will impact our SME’s significantly. As a hosting provider to a large number of South African SME’s, we ensure that all of our customers receive the highest levels of security and confidentiality”.

The South African government has allowed a grace period of twelve months meaning that our SME’s have another four to five months to prepare for the enforcement.

If you are an SME business owner, here is how you can ensure you are compliant before July 2021:

Appoint an information office

A representative within the company should be selected to conduct mandatory duties. Usually a private entity utilises the CEO unless stated otherwise. 

Create awareness

After appointing the information officer, educating your employees and monitoring log-ins to help protect data are key. Data leakage includes accidental or intentional exposure of information through email communication. In attempts to prevent a data leak, employees should be trained to be vigilant and identify potential cyber-attacks. 

Impact assessment

After training has commenced, audits should be conducted throughout the organisation to understand the flow of data within the company. This includes how it is collected, who collects it, where it is stored, what it is used for and how it is retained or discarded. If any gaps are identified, an action plan to improve the data protection needs to be developed and implemented. 

Data protection policies and regulation adherence

After gaps are identified you will be able to draft security policies that outline how the personal customer information will be stored, processed and secured. Regulations should include an outline plan indicating a procedure to adhere to in the event of a data breach. The policy and plan should be effectively communicated to employees and the severity and implications of a data leak should be explained to your employees.  

Invest in the appropriate resources

You may need to adjust policies and procedures within your business. These include updating employee contracts; supplier agreements and marketing communications (opt-in and out practices). 

Other resources that should be considered are:

• Website security through firewalls
• Anti-virus and malware protection
• Cloud-based security
• Email gateway security 

It is important to consider your website in your plan as your website requests information from your customers, as the business owner it is your responsibility to protect that information. Even though the information is stored on a protected server, you need to place measures on your own website to ensure your customers information is protected.

Based on the above it is evident that it requires man-power to ensure you are PoPI compliant however it is a necessity. 

1-grid is willing to educate you further on how you can secure your customers data on your website, if you would like to speak to us please reach out at This email address is being protected from spambots. You need JavaScript enabled to view it.