The POPI Act, not unlike any other, is fraught with terminology, jargon and wildly interpretable words. Sadly, understanding the POPI Act and terminology is the basis of preparing yourself for POPI compliance.

Firstly, it is important to understand the 4-fold purpose of the Protection of Personal Information Act:

(a)     To support our constitutional right to privacy;

(b)     To regulate the processing of personal information;

(c)     To provide remedies for abus; and

(d)     To establish an Information Regulator, to enforce this Act.

The concept of Personal Information and Special Personal Information is so important that we will dedicate an article to it (See that article here)



Consent forms the foundation of POPI.  By implication, no processing of Personal Information may take place without voluntary, specific and informed expression of will (permission). Consent is to be built into all processes, documentation and interaction.


‘‘Data subject’’

In the POPI context, the words Data Subject refers to the natural or juristic person to whom personal information relates.  The Data Subject is anyone who’s Personal Information is processed – this encompasses clients, staff, vendors/3rd parties/partners.

‘‘Direct marketing’’

POPI sees Direct marketing as any activity where a data subject is approached via any direct channel in an effort to promote a business or service, or requesting a donation.

‘‘Information Officer’’

The POPI Information Officer is generally the head of the organization, but the role can be deputized to one or more parties.

‘‘Electronic Communication’’

POPI specifically refers to Electronic Communication in the Act.  For clarity, this means any text, voice, sound or image message sent over a network, and stored until it is collected by the recipient.


The person who, under contract, processes personal information on behalf of a responsible party. POPI holds the Operator responsible for its actions, along with the Responsible Party


POPI considers the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; sharing, merging, linking, as well as restriction, degradation, erasure or destruction.


Information Management Lifecycle


Regardless of form or medium, POPI considers a Record as the writing on any material; produced, recorded or stored by any means, under the control of a responsible party.

‘‘Regulator’’ is the office of Information Regulator (See their website

‘‘Responsible Party’’

POPI sees the Responsible Party as the person/body which determines the purpose of and means for processing personal information.


‘‘Unique identifier’’

There has been a lot of debate around what constitutes a Unique Identifier. It simply means any identifier that is assigned to a data subject.

We trust the above helps clarify some of the basic fundamentals.  Please see here for more in the POPI 101 series.

The team at Metatrans has been in the Privacy business for almost a decade, and we have perfected out practical, no-nonsense Gap Identification, Training, and Implementation Methodology.  We are here for your every Privacy need.