“The Protection of Personal Information Act, 2013 (POPIA) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.” [https://justice.gov.za/inforeg/about.html]

This eight-hour course will benefit tech start-ups in all phases of development. It is an essential guide on compliance requirements and duties for the lawful processing of Personal Information. The course imparts an understanding of the internal business processes required to become compliant with POPIA.

When and where?

This course is not currently scheduled.

Check out our Course Overview page to see all our current courses. Or join our mailing list to stay up to date with newly-scheduled courses.

Course outline

The topics to be covered will include:

a) An Introduction to the Protection of Personal Information Act (POPIA), the Information Regulator

The topics that this section will cover include:

  • What is POPIA?
  • What is personal information and why should it be protected?
  • Other relevant definitions.
  • What are the 8 conditions for lawful processing and what do they require?
  • What are the penalties for non-compliance with POPIA?
  • What does the Information Regulator do and what does it not do (e.g. provision of training)?

b) Key Role Players And Their Responsibilities

The topics that this section will cover include:

  • Responsible Party:

- What are the duties and responsibilities under this role?

- What reporting obligations does the Responsible Party have, when and to whom should reporting be done?

  • Internal Role Players:

- Who will be structuring, implementing and enforcing the 8 principles within the company?

- Who assists these role players in their duties?

  • Joint Responsible Parties:

- Can a Responsible Party and an Operator be the same person and if so, is this advisable?

- What is the relationship between a Responsible Party and an Operator and how does one differentiate between/identify these roles?

  • Operator:

- What are the duties and responsibilities under this role?

- What reporting obligations does the Operator have, when and to whom should reporting be done?

  • External Role Players:

- Who are the 3rd party role players in privacy law terms?

- How to draw up agreements between the Responsible Party and a 3rd party to ensure that the Responsible Party’s liability with regards to the 3rd party’s conduct is limited?

- What to look for when reviewing agreements with 3rd parties to ensure compliance with POPIA?


This section will involve a discussion on the 8 POPIA Processing Conditions (Accountability; Processing Limitation; Purpose Specification; Further Processing Limitation; Information Quality; Openness; Security Safeguards; and Data Subject Participation).

The lecture will seek to answer the following questions about each of the POPIA Processing Conditions:

  • What is it?
  • What does it require?
  • How does it impact you?
  • What practical steps can you take to comply?

d) Key Actions To Take As A Startup

The topics that this section will cover include:

  • Identifying your relevant legal roles and those of your operators.
  • Identifying your Information Officer (process and requirements) and appointing Deputy Information Officers.
  • Performing a risk assessment.
  • Mapping out your data subjects; personal information; lawful bases; processing purposes and security safeguards.
  • Drafting and rolling-out requisite policies.
  • Entering into appropriate contractual agreements.
  • Updating of existing contracts with data protection clauses.
  • Assessing where you store personal information and what consents you have obtained for cross-border transfers of personal information.

e) The Key Legal Agreements That You Should Consider And What They Are

The topics that this section will cover include: -

  • Organisational Privacy Policies;
  • Organisational Information Security Policies;
  • Data Breach Notification Policies;
  • Confidentiality and Non-Disclosure Agreements;
  • External Privacy Policies;
  • Data Processing Agreements.

Who will benefit from this course?

The following stakeholders will benefit from this course:

  • In-house legal counsel;
  • Directors/heads of tech start-ups;
  • Management level of tech start-ups


This course is presented in conjunction with Zella Tech Law.

How much?

R2,200 per person


A certificate of attendance from UCT will be awarded to students who attend the full course.

How to sign up

Complete and submit the registration form. You will then be given the payment information. Please note that registrations will not be accepted until payment has been made.

One or two days before the course, we will send you the Zoom link. You will need to register and use a password to enter the virtual classroom.

Registrations close three days before the course starts.

Download the brochure.