South Africa's Protection of Personal Information (POPI) Act seeks to regulate the processing of personal information and standardize compliance with privacy and data protection legislation. It is designed to promote the protection of personal information processed by public and private bodies and establish minimum requirements for the processing of personal information.


of South African organizations have not defined their purpose for collecting and processing personally identifiable information (PII)


of South African organizations do not have processes in place to notify data subjects about PII collected


of South African organizations expect to need one to three years to comply with the POPI Act


  • The Goal of POPI

    The POPI Act aims to protect PII and provides guidelines for lawfully processing such information. POPI brings South Africa in line with existing data protection laws around the world, enforcing an individual’s right to privacy.

    To avoid consequences that are expected to go in to effect one year after administration of the law begins, organizations should already be embarking on the journey to compliance. See Solutions.

    POPI applies to everyone in South Africa who processes the personal information of another. Once an information protection regulator has been appointed to administer the law, companies are expected to have only 12 months to comply.



  • Protect Your Customers and Your Business

    Once the administration of POPI begins, companies that are non-compliant after the one-year anticipated grace period are subject to the following penalties or sanctions:


    Imprisonment of offenders for between one and 10 years


    Up to R 10 million in penalties and fines


    Enforcement notice requiring non-compliant organization to stop processing personal information


    Civil action on behalf of an individual or group of individuals

    (including damages for financial and non-financial harm)


  • Preparing for POPI

    We recommend that you make preparations for POPI compliance a front-burner issue for your organization. As you seek expertise for your POPI assessments, consider how we can help.

    The SecureTrust Approach to
    POPI Compliance Assessment

    A SecureTrust POPI compliance assessment is tailored to meet your organization’s size, complexity and business requirements. SecureTrust provides you with a comprehensive workshop to give all levels of your organization a thorough understanding of the POPI Act, the assessment process and where the assessment process should fit into the established security processes – as well as your organization’s ultimate business goals. We also provide your organization with a compliance assessment and assessment report to help manage the overall compliance process and achieve all of your objectives.


    Supporting Services and Technologies

    POPI Condition 7 states that responsible parties must adhere to generally accepted information security practices and procedures. Here are some SecureTrust solutions that can help you address your organization’s gaps and help you meet the standards:

    • Managed Security Testing from Trustwave delivers on-demand, precision penetration testing with just a few clicks of a mouse. With a subscription, users can log in to the portal and schedule testing of databases, networks and applications.
    • Organizations can turn to Trustwave DbProtect for enterprise-grade support in identifying security lapses and ensuring their information repositories stay protected from internal gaffes and nefarious attackers, while maintaining compliance with regulatory and industry mandates.
    • Every day, your staff handles sensitive data, including PII. Ensuring they understand the security risks relevant to their duties is imperative. Human actions can result in loss of intellectual property and exposure of customer data. These breaches could lead to lengthy investigations, costly fines and negative brand sentiment. Proper training and awareness can help ensure your employees don't transform from assets into liabilities.

      Trustwave Security Awareness Education empowers your employees with the security know-how to help protect your business against growing security risks and compliance missteps.

    • When PII is compromised, an immediate and comprehensive response is needed to diagnose, fix and secure the problem so an organization may move forward from a breach. Trustwave Incident Readiness & Response is the foremost resource for preparing for and reacting to security incidents and breaches. Our SpiderLabs team of security experts and far-reaching experience identifies root causes of incidents and communicates responses in a way that both IT staff and management can understand.
    • Trustwave Vulnerability Management services and solutions help you manage a prioritized list of vulnerabilities, understand how to fix them and produce reports detailing and verifying your remediation progress over time.
    • Trustwave Secure Web Gateway delivers advanced and constant protection against malware and data loss. Secure Web Gateway is integrated with SecureTrust technology, including our SIEM, Secure Email Gateway, Data Loss Prevention, Web Application Firewall and Network Access Control solutions. Our DLP solution enables you to discover and classify sensitive data and prevent it from leaving the network.
    • Trustwave Managed Security Services help you augment your existing staff to address security requirements and compliance demands. Trustwave Managed Security Services can help you evolve processes, elevate data protection strategies, or advance the way you manage threats. With deep security expertise and unmatched threat intelligence, we will design a program that supports your specific needs, while giving you complete visibility and control.
    • Backed by our elite security research team SpiderLabs, Secure Email Gateway provides unmatched protection against advanced email threats and comprehensive data protection controls to keep confidential information from leaving your organization and falling into the wrong hands.

How It Works

  • Tailored for Your Organization

    The SecureTrust POPI Compliance Assessment Service uses the POPI Act as the basis for requirements and testing procedures. The service involves various policies, procedures and practices that will be evaluated by SecureTrust through documentation review, interviews, facilities inspection, controls assessment and examination of your current security architecture.

    1. Scope Definition
    • Define business areas involved in PII processing
    • Define the business needs and processes related to the collection, storage, use, share or transfer, and destruction or archival of PII - i.e. create data flow diagrams with narratives
    • Identify critical PII processed by client
    • Define or create a PII inventory (including unstructured data and paper-based repositories)
    • Identify the information security framework in use by organization (if any)
    • Review Executive Summary
    2. Assessment
    • Perform a privacy risk assessment
    • Perform a privacy maturity assessment
    3. Report

    POPI Compliance Assessment Report