IIG News

IIG Insights: POPIA – Managing Privacy Risk

On the 22nd of April, Old Mutual Insure sponsored a webinar on POPIA and the looming deadline for the implementation thereof which comes into effect on 01 July 2021. Tshepiso Chocho our IIG President welcomed our virtual attendees to the much spoken about the topic, as this piece of legislation affects all companies in South Africa. At the heart of it, the management of Privacy Risk and the potential consequences of confidential data being unprotected.


Our presenter Ndzalama Manyike is Old Mutual Insure’s Head of Regulatory Risk & Compliance and his primary responsibilities are to implement and execute compliance risk management frameworks, as well as providing professional advice and guidance to the business regarding compliance matters. 


He holds a Bachelor’s Degree in Law, which he obtained from the University of Pretoria, as well as a post-graduate Diploma in Compliance, which he obtained from the University of Johannesburg. He has extensive compliance experience within the financial services industry, having previously worked for the Financial Services Board, FNB and Discovery.


Ndzalama opened with the following statement: “If the data is more valuable than ever, imagine the protection thereof…” The POPIA came into effect on 01 July 2020 and all affected parties need to comply with the provisions thereof by 30 June 2021. The provisions are not enforceable during this compliance period. Penalties which could include sanctions for non-compliance can range up to R10 million or and 12 months imprisonment. In addition, other effects include loss of customer trust, lawsuits, and serious reputational damages.


Essentially the foundation of POPIA being rooted framed by 8 principles. These being Accountability, Processing Limitation, Purpose Specification, Further Limitations, Information Quality, Openness, Security Safeguards and Data Subject Participation. It was further pointed out that in essence all 8 are principally the same.


As a starting point, organisation’s would need to consider the following 6 aspects to adhere to the provisions of the POPIA.

  1. Do you process Personal Information (PI) or Special Personal Information
  2. Conduct Due Diligence and Identify Gaps
  3. Develop a Privacy Framework and Policy
  4. Data Inventory
  5. Design a Value Chain with Capabilities
  6. Privacy Operating Models


The Value Chain include various aspects relating to the data companies have access to.


Capabilities to manage the type of PI collected, the conditions and methods and sources of collection.


Capabilities to ensure PI is processed and shared legitimately and securely.


Capabilities that manage the integrity and quality of PI and the rights of data subjects.

Purpose Completion

Capabilities to manage the retention and destruction of PI once the purpose has been fulfilled.

Privacy Management

All capabilities that enable privacy governance and oversight of compliance to privacy legislation, policies and supporting standards.


The session further included exactly what POPIA requires what organisations must be able to do, the accepted industry standard to achieve this will be via the Privacy Data Inventory.

  • Understand why personal information is required (purpose)
  • Track how the information is processed (collected and used)
  • Easily identify where personal information is processed and stored
  • Determine with whom this information is shared


Ndzalama further highlighted why this piece of legislation matters to the industry, touching on information gathered from the lead stage to quoting, finalizing sales, claims to process to holding employee information.

In the final points of his presentation, he gave his insights on Managing Privacy Risk, which should be interconnected with an organisation’s Governance, Accountability and Delivery. He further touched on the elements of Managing Privacy Risk, including factors such as Risk assessment, Security and retention of information, Frameworks, Policies and Procedures, Employee and Third Party Contracting and Regular Awareness of all stakeholders.


The presentation was ended by tips shared with regards to third parties, other regulations to consider, creating employee awareness on the usage of personal information and the retention and destruction thereof. Further, we were reminded that each legally registered entity of an organisation must have a registered Information Officer and Deputy. Most important to remember, consent must be explicit for Special Personal Information. 


Our MC Tshepiso thanked Ndzalama for his time and insights into POPIA. Tshepiso then managed several questions and answers during the session. She ended the session by thanking Old Mutual for their sponsorship of this very insightful session.


Article by Suren Kasil


This IIG Insight session was sponsored by: