let’s make something together

Give us a call or drop by anytime, we endeavour to answer all enquiries within 24 hours on business days.

Find us

61 Katherine Street

Sandton, 2191

Email us


Processing of Personal Information: POPIA Simplified #2

  • July 1, 2021

POPIA Condition 2: Processing of Personal Information

#POPIASimplified – Episode 2

SmartenUp - POPIA - Condition 2 - 1

Under the Protection of Personal Information Act (POPIA), the 2nd Condition for processing personal information requires you to process personal information in a manner that is lawful and reasonable, and which does not infringe on the right to privacy of the person who’s information you are processing [1].” 

Woah, let’s try that again: Under the POPIA, the 2nd Condition in essence requires that the responsible party (meaning your company), processes your client’s personal information in a manner that you’re not crossing any unlawful lines with connection to your client’s right to their privacy, regarding their personal information.

How do you go about doing this? Let’s break down some concepts:

  • Personal Information means any information that can identify a living natural person such as a person’s identification number, email address, phone number, or home address. 
  • Processing refers to when personal information is either collected, organised, stored, retrieved, distributed, transmitted or destroyed, whether via manual (human) or automatic (computer) operations.  
  • Lawful and reasonable processing, without infringing on the right to privacy, is set out to mean that you can only process information if it is relevant, adequate, and not excessive; or in other words necessary. But most importantly, only if the person who’s information you are processing consents to it. Important mental note, even if consented to by your client, processing of their personal information may be objected to, or consent may be withdrawn at any time

Examples of what qualifies as necessary includes: if processed under the conclusion of a contract, to comply with an obligation imposed by law, to protect a legitimate interest of the data subject (AKA your client) or if necessary, for a public body to perform a public duty [2].

As you may know by now, we love depicting concepts through practical, bite-size examples. Let’s have a look at one right now:

Let’s assume Rachel from Dreamhomes sells holiday homes along the West Coast of the country. For contractual purposes of property ownership transfer, she requires a client’s personal information such as their identity number, primary home address and cellphone number.

  • Should Rachel obtain this information, it could be concluded to be relevant and therefore necessary.
  • Should conveyancing regulations require an estate agent to store its client information for a period of 5 years, this will be under an obligation imposed by law; and therefore also necessary.
  • Prior to engaging with any potential buyer, Rachel should also obtain consent to process this type of information whether for contractual or marketing purposes, in order to satisfy the consent requirement, at a minimum.

So let’s assume you tick all of the above boxes and that you process information lawfully (kudos by the way), how do you prove that you are processing personal information for necessary purposes and with consent? How do you manage all these details, such as the consent details across hundreds, if not thousands, of clients?

Our intention is not to overwhelm you with these types of questions, instead it is meant to help you understand how the fine print actually works and what you need to know to ensure your company’s integrity is intact.

Luckily, consent in itself is not a new concept when it comes to personal information, and platforms such as Salesforce make it their core focus to ensure that you can deal with this lawfully and at the same time without having to spend hours with compliance teams trying to dissect each portion of your process with regards to legal POPIA compliance. 

In addition, Salesforce easily allows you to restrict processing of data, to ensure that you are compliant when required.

Let’s look at the main reasons why Salesforce is an excellent platform to assist you in lawful and reasonable processing of personal information:

  • Salesforce’s data model manages all aspects of consent, and its platform is designed on the fundamentals of privacy principles, better described as a Consent Management Framework. How it works is this:
    • It allows for system architects (a.k.a the IT guys) to embed this framework into all aspects of business processes and IT structures.
    • This allows for a proactive data model that prevents privacy risks instead of dealing with them after the fact. Let’s just say that the “act now, say sorry later” principle will not fly by legally in this situation.
      • What this means, if we reference our practical example, is that if Dreamhomes used Salesforce before POPIA came along, it is likely that they are already compliant with the obligations that are imposed. The best part is, they do so without having to analyse and assess every step of data their processing structure is compiled of, for hours, days even weeks on-end if lucky.
        Phew, we got fatigued just thinking about that administrative nightmare. 
  • Salesforce classifies its consent framework, into user friendly Data Management Tools, that can be set out in 4 different levels: 
    • Level 1: Who provides consent and details regarding the purpose of processing information.
    • Level 2: Which channels a person can be contacted on, as well as opt-in preferences, and their preferred time for contact.
    • Level 3: Via which Address details a person should be contacted on.
    • Level 4: What type of content has been consented to, such as newsletters or announcements, for example.
      • Bringing this all together, it means that whether you deal with authorisation forms that capture consent details, or subscription forms that capture marketing preferences; Salesforce captures this detail in a manner that makes it a breeze to manage.
        SmartenUp - POPIA - Condition 2 - Salesforce 1How, though?” You may be asking. Great question!

        They do this by allowing you to have a bird’s eye view and a full, detailed picture of a person’s consent, as well as proof thereof. More accurately described, this is the legal basis for processing personal information [3].

      • Back to our practical example: whether Dreamhomes stores information of new clients for property transfers, or whether they contact prospective buyers about a new development on the beach, Rachel will not only be able to easily manage and see, but more importantly, prove who consented, when they consented, how long they consented for, and whether they preferred to be emailed on a weekend, or phoned on a Friday morning, no matter the volume of existing customers or prospective buyers, Rachel can rest assured that Dreamhomes’ processing of personal information will be lawful, reasonable and will not infringe on her target market’s legal right to privacy. 

SmartenUp - POPIA - Condition 2 - Salesforce 2

Stay tuned because next week we’ll be tackling the contentious topic of sending emails under POPIA, especially in the marketing sphere. We know all of this information may seem overwhelming, but no company is in a position not to ensure that they are 100% compliant regarding the updated POPIA.

We simply feel that understanding what is expected of you is imperative going forward and if you have any questions, please feel free to get in touch. We’re here to help!


  1. Protection of Personal Information Act 4 of 2013, S9.
  2. Act 4 of 2013, S1 & S9 – 12.  
  3. https://www.cloudkettle.com/blog/mastering-salesforce-consent-management/; CloudKettle – Managing Content with Salesforce – 9 Nov 2020 – https://www.youtube.com/watch?v=AkP_BeC9lws
  4. https://developer.salesforce.com/blogs/2020/10/getting-started-with-lightning-flow-for-developers.html
  5. https://www.cloudkettle.com/blog/mastering-salesforce-consent-management/

Interested to know more? Leave your details below: