The Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’) requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With another POPIA compliance deadline fast approaching we have identified some questions to determine whether it is relevant to you.


Most organisations are able to process personal information by default. But some organisations need to get prior authorisation from the Information Regulator before 5 October 2021 to process personal information. POPIA stipulates that your organisation needs prior authorisation from the regulator if the personal information you process poses a high risk to your data subjects.


If you answer yes to any of the following, you need prior authorisation from the regulator:

  1. Does your organisation profile people?
  2. Does your organisation process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties?
  3. Do you process information for the purposes of credit reporting?
  4. Do you transfer special personal information or the personal information of children to a third party in another country that does not have an adequate level of protection for the processing of personal information as referred to in section 72?


If this applies to your organisation then you must apply for prior authorisation before 5 October 2021 – that’s in 6 days! – to be sure of getting the authorisation by the ultimate deadline of 1 February 2022.


To learn more, read the guidance note from the Information Regulator SA on Prior Authorisation under POPIA, by clicking on the link below. The form is also included in the guidelines, with information on how to submit the form for Prior Authorisation.