Support Centre


Comply with POPIA

South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on November 26, 2013, following the President's signature. A period of relative stasis then followed for several years while a commencement date for the key provisions was decided upon. The Information Regulator (the Regulator), the data protection authority provided for by POPIA, was established during this time and held its first meeting late in 2016, although its operations were limited. The Regulator announced, on July 1, 2021, that its enforcement powers under POPIA would be in effect from July 1, 2021, following the conclusion of the 12-month transition period for compliance as provided under Section 110 of POPIA.

POPIA is further supported by the Regulations Relating to the Protection of Personal Information (2018), which establish additional provisions on the application of POPIA and contains several template forms.

Visit our South Africa Jurisdiction Dashboard for further information on South Africa's Data Protection Landscape.


OneTrust DataGuidance has produced a POPIA v. GDPR report which you can download here, and which assists organizations in understanding and comparing key provisions of the POPIA to the GDPR. In the tab above, you can also leverage this information through our GDPR v. POPIA Comparison.

OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and South Africa's Protection of Personal Information Act (POPIA). The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of POPIA with the  GDPR.

You can access the latest version of the report here.

Key highlights

POPIA and the GDPR share some similarities, both laws:

  • share similar definitions and concepts of 'personal data' and 'personal information;'
  • have comparable concepts of data controllers and processors, known as responsible parties and operators in POPIA;
  • provide almost identical legal grounds for the processing of personal data; and
  • specify accountability as a central principle.

However, despite their similarities, POPIA and the GDPR also differ sometimes in their approach, such as:

  • POPIA includes juristic persons under its scope of application;
  • POPIA does not require impact assessments;
  • unlike the GDPR, POPIA does not refer to a right to data portability; and
  • their approaches on how to respond to a data breach.