Protection of Personal Information Act (POPIA) — South Africa's data protection law. 20 questions across all 8 conditions for lawful processing.
POPIA 2013Effective July 20218 ConditionsFree Tool
📋 About POPIA (Protection of Personal Information Act 4 of 2013)
Act Number
Act 4 of 2013
Effective
1 July 2021
Regulator
Information Regulator
Max Fine
R10 Million
Imprisonment
Up to 10 years
Conditions
8 Conditions
0/20
answered yes
0%
✅
POPIA 8-Condition Compliance Checklist
▾
Click each item to mark as compliant. Conditions are grouped per the Act.
📊
Your POPIA Compliance Score
▾
Score by Condition
📅
POPIA Key Obligations & Contacts
▾
Obligation
Requirement
Breach notification to Information Regulator
As soon as reasonably possible (no exact hours; aim for 72 hrs)
Notify data subjects of breach
As soon as reasonably possible after notifying Regulator
Information Officer registration
Mandatory — register at inforeg.org.za
PAIA Manual update
Mandatory for certain organisations
Cross-border transfer
To countries with adequate protection or with data subject consent
Regulator contact
inforeg.org.za / complaints@inforeg.org.za
Case workspace
Build, save and export this legal workflow
This workspace turns the popia readiness review result into a reusable matter note, dashboard item and gated PDF checklist. Use the app first, then save the evidence trail.
Benchmarked against Termly, OneTrust and enterprise consent platforms. The goal is not to copy them; it is to bring the useful workflow pattern into an Africa-first tool with official-source caution and local evidence capture.
Observed feature pattern
Mature privacy tools scan or map real processing activity, then connect policies, cookie choices, DSARs, consent logs and regulator evidence.
They preserve an audit trail instead of leaving users with a static policy that drifts away from the product.
They route high-risk processing into DPIA, breach and processor-contract workflows before launch or vendor onboarding.
Implemented on this app
This page now asks for matter, country or regime, date, status, evidence and risk flags before the user exports a note.
The app-specific checklist is not generic: it starts with "Map personal information by purpose, source, recipient and retention period".
Saved workflows can be resumed from the dashboard and handed off to Cookie Consent when the matter naturally continues.
The PDF/export moment is a value-after-result gate, so users can still use the tool first and only share email when saving the report.
Best next move
Whether personal information processing is lawful, specific and minimal
Map personal information by purpose, source, recipient and retention period
Copying a GDPR-only policy without POPIA terminology and operator clauses
Reviewed 28 April 2026 · South Africa
POPIA readiness review
POPIA work should follow the eight conditions for lawful processing and turn each gap into an owner, document, system control, and review date.
Decisions this clarifies
Whether personal information processing is lawful, specific and minimal
Whether data-subject participation and breach notification processes are documented
Whether cross-border transfers, operators and special personal information have controls
Before you rely on it
Map personal information by purpose, source, recipient and retention period
Review operator agreements and security safeguards before vendor onboarding
Prepare breach notification evidence for the Information Regulator and affected persons
Red flags
Copying a GDPR-only policy without POPIA terminology and operator clauses
Collecting ID, health or children data without enhanced controls
Treating direct marketing consent as a once-off checkbox
Before filing, signing, publishing, or sending anything, keep a short record that links the app result to evidence and official-source checks.
Capture
Save the country or regime, parties, dates, amounts, selected options, and final output. Add why this matters: Whether personal information processing is lawful, specific and minimal.
Attach
Map personal information by purpose, source, recipient and retention period. Also keep the strongest supporting document, receipt, portal reference, ID, contract, policy, or court file beside the generated result.
Escalate
If you see this risk, pause and get qualified help: Copying a GDPR-only policy without POPIA terminology and operator clauses.
Paste this into your matter file, compliance folder, board pack, or lawyer handoff.
POPIA Compliance for South African Businesses
The Protection of Personal Information Act (POPIA) came into full effect on 1 July 2021 and applies to any organisation that processes personal information of natural or juristic persons in South Africa. POPIA is modelled on the EU GDPR but tailored for the South African context.
POPIA establishes 8 conditions for lawful processing of personal information, which form the backbone of compliance obligations. These conditions cover accountability, processing limitation, purpose specification, further limitation, information quality, openness, security safeguards, and data subject participation.
Information Officers must be registered with the Information Regulator. This is a mandatory requirement for all responsible parties.
Security breaches must be reported to the Information Regulator and affected data subjects as soon as reasonably possible.
Special personal information (equivalent to GDPR special categories) requires additional safeguards, including health data, race, biometrics, and religious beliefs.
The Information Regulator can issue enforcement notices, impose fines up to R10 million, and refer cases for criminal prosecution with sentences up to 10 years.
Disclaimer
This tool provides general information and educational resources only. Not legal advice. Consult a qualified data protection attorney for advice specific to your organisation's circumstances under POPIA.