This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

The Protection of Personal Information Act – more than just compliance

POPIFor the first time South Africans will have their constitutional right to the privacy of their personal information enforced. 

Protection of Personal Information Law

Protection of Personal Information or Data Privacy are terms that many South African organisations are only beginning to encounter. With the promulgation of the Protection of Personal Information law and the need for organisations to undergo privacy compliance journeys, does your organization understand the basic principles of protecting personal information according to the forthcoming law?

Deloitte Risk Advisory has produced a tutorial video on the key principles contained in the Protection of Personal Information law to assist your organization in creating data privacy awareness in preparation for the new compliance processes that organisations will be soon facing. The tutorial video has the Deloitte subject matter experts on data privacy discussing the key principles of this new law whilst providing you with a practical, easy to understand tutorial.

Protection of Personal information Act (PPI) will bring South Africa in line with international data protection laws and at the same time will protect personal information collected and processed by public and private organisations.

Personal information privacy presents a growing challenge as organisations must adapt and comply with complex international laws on how they handle personal information. The Act requires organisations to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.

Deloitte approach each matter with the view to providing workable, practical PPI solutions – underpinned by the focus of building trusted partnerships with our clients. 

Understanding the importance of PPI
Challenges clients face with PPI
The first steps to becoming PPI compliant
Identifying value-adds beyond minimum compliance
The Deloitte offering
Benefits to your organisation

Understanding the importance of PPI

If you process information such as names, addresses, e-mail addresses, ID numbers, employment history, health data that are associated with an individual; or if you outsource your data to third parties, your organisation will have to comply with PPI. All organisations have personal information about shareholders, employees, customers, suppliers so PPI affects every area of your business.

Organisations should consider:

  • The limited time to comply
    The Act should become an Act in the next three to six months. Business will be given a year to comply, but the full compliance procedure could typically take up to three years.
  • International privacy laws
    Several countries already have strict privacy laws. If your clients are doing business internationally, they are probably already in breach of the privacy laws in those countries.
  • System changes These changes often require reloading or rearrangement of information. This may be an opportune time to implement aspects of PPI.

Non-compliance with the provisions of the Act may result in criminal fines, civil liability and complaints to the regulator.

Challenges clients face with PPI

  • What are the first steps?
  • Who in the organisation should be responsible for PPI?
  • Where is the applicable information located?
  • In what way does PPI affect my internal and external processes?
  • What do I need to do to comply?
  • How should non-compliance be handled?
  • What is the cost of compliance?
  • How do I reduce the costs of storage, administration and management of data?

Back to top

The first steps to becoming PPI compliant

There are fourteen information protection principles which establish minimum requirements for the processing of personal information which should be considered before you become compliant:


  • Personal information will have to be collected directly from the person involved


  • Consent from the individual will be required before the information can be processed
  • Personal information must be updated to remain accurate and complete
  • The processing of information for direct marketing is prohibited unless the company gets consent from the person involved
  • A person’s information can only be sent out of South Africa if it is to fulfil a contract between the individual and the firm, is required by law or consent has been given
  • Individuals have the right to request confirmation of their data from a company as well as make corrections to that information

Purpose specification

  • Data can only be collected for a specific, explicit and lawful purpose
  • The processing of personal data must be compatible with the stated purpose of collection or must be legally complaint
  • Personal information related to sensitive issues like race, health or politics have their own distinct rules under this Act

Further processing

  • Personal information that will be processed further than the initial purpose of collection must comply with the conditions

Retention requirements

  • Information cannot be retained for longer than necessary and will have to be destroyed

Data and quality integrity

  • Companies will be responsible for the security and integrity of data
  • Security measures have to be put in place if a third party processes information on behalf of the company

Destruction and archiving

Back to top

Identifying value-adds beyond minimum compliance

Organisations can gain significant business performance improvements by approaching the Protection of Personal Information Act as a strategic opportunity rather than a compliance cost. There are advantages to be gained within a company, for example:

  • Technology gets the budget go ahead for middleware and data warehouses, new SAP modules, data security upgrades etc, which add value when linked to the overall business strategy.
  • Select technology to support more than just data integration eg. Option ranging from cloud to separate software and simple upgrades.
  • Build a customer-focused organisation by digging deeper into existing customer data
  • Valuable information around customers and markets can be obtained through data analysis of personal information for purposes of PPI compliance
  • Employees’ files are updated and remain up to date.
  • Organisations who lead the market in becoming PPI compliant will earn customer respect and loyalty
  • Valuable insights can be found in an organisation’s existing database, ahead of customer requests for their data removal

Back to top

The Deloitte offering

Data is any company’s greatest asset – its value needs to be optimised within the framework created by the law, corporate governance requirements and customer expectations. In addition, clients that begin this project now can be positioned as front runners in the data privacy space, giving them a competitive advantage. Deloitte is able to offer the convenience of a flexible, integrated multifunctional process by encompassing all areas related to the PPI challenge.

Click on the image to enlarge...

Back to top

Benefits to your organisation

  • Increases shareholder value / financial performance
  • Reduces risks – compliance, reputation, fraud, legal (penalties and damages)
  • Uncovers ‘unknown’ data stores for better enterprise-wide use to benefit the whole organisation
  • Convenience:
    • Deloitte will provide support and guidance through the whole PPI process
  • Global expertise
  • Security
  • Data analytics

In this way, Deloitte harnesses PPI into an opportunity which offers organisations more value through the compliance process.

Back to top

Featured content

  • PPIB Survey 2012
  • PPI Podcasts
  • Is PPI a necessary evil or opportunity for value add?
  • How prepared is your business for the Protection of Personal Information (PPI) legislation?

Media Releases

Click here to view our latest media releases

Key contacts

Dean Chivers
Africa Leader
RA Legal
Tel: +27 (0) 11 806 5159

Stay connected:


Material on this website is © 2014 Deloitte Global Services Limited, or a member firm of Deloitte Touche Tohmatsu Limited, or one of their affiliates. See Legal for copyright and other legal information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Get connected
Share your comments



More on Deloitte
Learn about our site


Recently blogged