Several key provisions of the Protection of Personal Information Act, 2013 (PoPIA) will commence on 1 July 2020. Although some provisions of PoPIA (for example, those dealing with the establishment of the Information Regulator) commenced during 2014, the implementation of the remaining provisions was postponed to allow for the operational readiness of the Information Regulator.  

The provisions that will come into effect on 1 July 2020 deal with the following aspects of PoPIA: 

  • the conditions for lawful processing of personal information; 
  • the regulation of the processing of special personal information; 
  • Codes of Conduct issued by the Information Regulator; 
  • procedures for dealing with complaints, and
  • provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act. 

All institutions that process personal information are required to be PoPIA compliant by 1 July 2021, one year after the above sections become effective. To become compliant, the following minimum steps are recommended: 

  1. Appointment of an Information Officer; 
  2. establish the compliance framework; 
  3. updating existing contracts to be PoPIA compliant; 
  4. draft and implement data protection policies, and 
  5. establishing appropriate controls and processes to ensure the compliance framework is effective. 

ICS is in the process of expanding its service offering and will shortly provide more details of our expanded offering, with a view to providing compliance support in relation to PoPIA.


If you would like to find out more about the services that ICS offers please contact us.