Protection of Personal Information Act (POPI Act, POPIA)

In order to be SOC 2 Type II certified, Dataddo has to be compliant with South Africa's Protection of Personal Information Act (POPI Act or POPIA).

What is POPIA?

POPIA was created to protect personal information and one's right to privacy in South Africa. Introduced in 2013, POPIA requires for institutions operating in South Africa to conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information.

What are POPIA's principles?

To be POPIA compliant, an institution or organization has to meet the following principles:

• Accountability
• Processing limitation - personal information usage must be lawful, with the minimal amount of information necessary
• Purpose specification - personal information must be collected, used and retained for a specific purpose, related to the organisation’s activity
• Further processing limitation - further processing of the information must be compatible with the original purpose for collection
• Information quality - the personal information must be kept up to date, complete and accurate
• Openness - there are things you need to tell the person when you collect their personal information
• Security safeguards - measures must be taken to prevent loss of, or unauthorised access to, personal information
• Data subject participation - the information does, after all, belong to someone else, and he or she must be able to access it