Author:  Maryna Botha
6 April 2021


The Information Regulator published the Guidelines for Information Officers and Deputy Information Officers, including instructions on how to register your business’ Information Officer with the Information Regulator. Registration can take place from 1 May 2021 onwards.

The Guidance Note also provides more details regarding the responsibilities and liabilities (including possible criminal liability) of the Information Officer and who may fulfil this position. Notably, for non-government entities, the Information Officer must be an employee of the entity at an executive level or equivalent position at management level.

Many businesses are still postponing the inevitable need to obtain assistance with their implementation of the Protection of Personal Information Act (‘POPIA’). With the 1 July 2021 compliance date nearing, now is a very good time to be chipping away at your business’ POPIA plans, including to nominate and register your Information Officer and to investigate whether you may appoint deputies or third parties to assist, amongst other things.

The original article can be viewed here:

Guidelines for Information Officers and Deputy Information Officers can be viewed here:

– [STBB article 2 March 2021]

We regularly consult with business owners who, when considering their POPIA compliance responsibilities, react thereto in love-hate terms. On the one hand, there is a positive response where compliance is constructively applied to the business’ own day-to-day running procedures and management. On the other hand, it appears less rosy where it is presented as a must-do red tape exercise, with a government-imposed threat of financially damaging penalties for non-compliance .
Fortunately, compliance with POPIA is neither of the above as these notes suggest:

  1. Complying with POPIA is a big business worry only
  2. Ensuring compliance with POPIA is not an IT responsibility
  3. Debunking the one-size-fits-all approach to complying with POPIA
  4. POPI is not really about (unnecessary) red tape and a way for government to burden businesses

The Protection of Personal Information Act (POPI or POPIA), in the most simple terms, sets out ways in which businesses must deal with personal information that they hold and process. This includes personal details of their employees, as well as the personal details of their customers, clients and service providers; whether the customers and clients are individuals or other businesses/entities

No matter the size of your business operation, you will hold (i.e., record) details of your customers, employees and third parties that provide services to you, online or on paper. As such you should now commence steps to make sure the information is safeguarded as required by POPIA, to be compliant when the Act becomes enforceable in July 2021.

This original article can be viewed here: