POPIA Compliance for Government Tenders in South Africa

What POPIA Requires from Businesses

POPIA establishes eight conditions for lawful processing of personal information: Accountability, Processing Limitation, Purpose Specification, Further Processing Limitation, Information Quality, Openness, Security Safeguards, and Data Subject Participation. Every organisation that processes personal information — including employee data, customer records, and supplier information — is a 'responsible party' under POPIA and must appoint an Information Officer registered with the Information Regulator. The Information Officer is responsible for developing and implementing a POPIA compliance framework.

Responsible parties must implement appropriate technical and organisational measures to secure personal information against loss, damage, unauthorised destruction, and unlawful access. This includes conducting Personal Information Impact Assessments (PIIAs), maintaining a record of processing activities (ROPA), entering into data processing agreements with operators (third parties that process data on your behalf), and notifying the Information Regulator and affected data subjects of any security breaches within a reasonable time. Operators — including cloud service providers and IT contractors — must be bound by written contracts.

• Register your Information Officer with the Information Regulator (www.inforegulator.org.za)
• Conduct a Personal Information Impact Assessment (PIIA)
• Prepare and maintain a Record of Processing Activities (ROPA)
• Implement a POPIA Compliance Manual and staff training programme
• Enter into data processing agreements with all operators
• Establish a breach notification procedure

POPIA Requirements in IT and Data Tenders

Government IT and data tenders increasingly include POPIA compliance as both a mandatory and evaluated requirement. Procuring entities — which are themselves responsible parties under POPIA — must ensure that any service provider they appoint to process personal information on their behalf is POPIA-compliant and will enter into a data processing agreement as required under Section 20 of POPIA. Tender documents may require bidders to submit their POPIA compliance policy, a register of their Information Officer, and evidence of staff training.

Cloud computing, managed services, and data analytics tenders are particularly sensitive from a POPIA perspective because they involve the transfer and processing of large volumes of personal information. Cross-border transfers of personal information are restricted under Section 72 of POPIA — personal information may only be transferred to a foreign country if that country has adequate data protection laws, or if the data subject has consented, or if a contract with equivalent protections is in place. Bidders for such contracts must demonstrate they have assessed and mitigated cross-border transfer risks.

• Provide your Information Officer's registration details from the Information Regulator
• Submit your POPIA Compliance Manual or Policy as part of the bid
• Demonstrate data breach response procedures
• Address cross-border data transfer controls for cloud and offshore services
• Show evidence of staff POPIA awareness training
• Provide a draft data processing agreement for review by the procuring entity

Information Regulator Enforcement and Penalties

The Information Regulator, established under Chapter 8 of POPIA, is the enforcement authority for both POPIA and the Promotion of Access to Information Act (PAIA). The Regulator can conduct assessments, issue enforcement notices, and impose administrative fines. Sections 107 and 109 of POPIA provide for criminal penalties of up to 10 years imprisonment and/or fines of up to R10 million for serious contraventions including processing personal information without lawful grounds and obstructing the Regulator's investigations.

For government tender purposes, bodies that have received enforcement notices or are under investigation by the Information Regulator may face reputational and legal barriers to winning public sector contracts. Procuring entities are increasingly conducting due diligence on the POPIA compliance track record of bidders in IT, healthcare, and social services tenders. Maintaining a current POPIA compliance programme and having a registered Information Officer are the minimum baseline requirements for credibility in these sectors.

• Information Regulator can impose fines up to R10 million
• Criminal penalties up to 10 years imprisonment for serious offences
• Enforcement notices require remediation within a specified timeframe
• Non-compliance may disqualify bidders in data-sensitive tenders
• Information Regulator contact: www.inforegulator.org.za | inforeg@justice.gov.za

Frequently Asked Questions

Related Guides

• Labour Law Compliance for Tenders
• IT Tenders in South Africa
• CSD Compliance Requirements
• CIPC Company Registration Guide