Skip to main content

How a POPIA exemption can help your nonprofit

How can nonprofits protect their beneficiaries' data and comply with POPIA's strict requirements without harming operations? This article explains POPIA's exemption provisions and the criteria nonprofits must satisfy to gain exemption approval. 

What is POPIA?

POPIA is South Africa's data privacy law that gives individuals rights over their personal information and places obligations on organisations to properly manage and secure that personal information. It establishes standards for lawful data processing and provides oversight by the Information Regulator.

Why nonprofits should consider POPIA exemptions

Nonprofits all need to find a balance between achieving data privacy and achieving their important operational goals. Most people know, at this point, that POPIA and other data protection laws are at the heart of that data privacy. Compliance with a law like POPIA is often complex, time-consuming, and expensive. These challenges can mean that no matter how much you want to comply to protect your beneficiaries, you are unable to do so to the extent required. A POPIA exemption can be just the relief that your embattled nonprofit needs. There are important requirements that you need to be aware of, though. POPIA requires that you meet these requirements before you can receive an exemption from the regulator.

What you may want to be exempt from

With all the data processing that most nonprofits typically do on a daily basis, there are commercial and legal risks that inherently arise. These risks usually arise because a law like POPIA has certain obligations that a nonprofit struggles to comply with due to the nature of the work the nonprofit does, or limitations related to budgets, resources, and capacity. Think of the following examples of POPIA obligations that your nonprofit may struggle with:

  • Being unable to collect information directly from a data subject (such as beneficiary) because it is cheaper and less time-consuming to get the information from another nonprofit you work with;

  • Difficulties in limiting the processing to just a few identifiers - you may not want to limit the amount of information you collect because you intend to help the data subject in various ways over time;

  • Not always knowing or being able to limit the period of time you need to keep the information over. When a data subject asks you to delete their information (the right to be forgotten), you may be unable to fulfil that right;

  • Only being able to afford basic security measures for the information, and wishing to ask the regulator to exempt you from putting more complex and expensive measures in place; and

  • Being concerned that it takes a while for you to conclude contracts that impose data protection obligations on your service providers and partners, and want the regulator to excuse the delay.

How to get a POPIA exemption

The regulator would require your nonprofit to show that the processing that you want an exemption for is:

  • in the public interest, meaning that it impacts a significant group of people (members of the public), not just a small group; and 
  • significantly and clearly beneficial to data subjects, even though the processing is not compliant with POPIA. Here, you would have to argue and demonstrate that the work your nonprofit does is aimed at improving the lives of your beneficiaries, and that any harm they may suffer due to your data processing is far outweighed by the benefits of your work.

Formatting and submitting your application

You would have to do your application electronically using the form designated by the regulator. Here are the common steps you would have to take:

  • Get your Information Officer involved to help you. Also consider contacting Sicelo Kula for expert assistance with the application;
  • Read the guidance note that the regulator issued;
  • Download and prepare the Exemption Application Form;
  • Attach a cover letter or supporting documents to help bolster your application; and
  • Submit everything via email to this email address: This email address is being protected from spambots. You need JavaScript enabled to view it.. To be safe, also consider sending the application to the email address that was published in the guidance note (This email address is being protected from spambots. You need JavaScript enabled to view it.), but is not on the exemptions page on the regulator's website.

What follows after you have submitted your exemption application?

The regulator will get back to you to acknowledge receipt of your exemption application. They will then assess your application and ask for any additional information or clarification. After that, they may either approve or reject your application. On approving your application, they would publish a notice in the Government Gazette.

Please note, though, that being granted a POPIA exemption does not mean that you stop having to comply with anything in POPIA. There is a good chance that while the regulator may approve your application, they may also attach certain conditions that you have to comply with in order for your exemption status to continue. They may give you a list of minimum actions that you have to take to protect the personal information that you process, and comply with POPIA.

How Michalsons can help your nonprofit

When the regulator approves your application, for example, but attaches extra conditions that your nonprofit must comply with, I provide expert assistance based on many years of working with nonprofits and understanding their legal issues. One example of how Michalsons is helping nonprofits is with the workshops like “Top 10 data protection and contractual issues for nonprofits".  Moving forward, we will be doing a number of these workshops for nonprofits.

Sicelo Kula | Michalsons


Sicelo is an attorney approaches legal problems with a keen interest in applying the law to provide simplified and practical solutions. He is very interested in taking on challenging legal problems and finding workable solutions. His areas of interest include Data Privacy and Protection (specifically for Community Schemes, Non Profits, and Recruitment Agencies), Corporate Governance (specifically IT governance), Commercial Contracts, Labour Law and general Consumer Protection.

Related articles

Unlimited Child and Gift of the Givers Aid Yemeni Refugee Camps
By Roseisha Ishwardutt, The Unlimited Child The Unlimited Child in partnership with Gift of The Givers, a renowned humanitarian organization, is thrilled to announce the launch of a ground-breakin...
Café offers employment for township youths, dignity for the elderly
Neighbourhood Old Age Homes (NOAH)
Neighbourhood Old Age Homes (NOAH) recently opened the All-Day Corner Café (cnr Essex & Regent Streets, Woodstock). The café is the result of a unique collaboration between NOAH and the trendy ...
AI should assist, not replace, the writing process
Ruen Govinder
At #nonprofit, we regularly receive article submissions for our digital magazine. Many of these are excellent, useful resources or insightful thought pieces. However, we have been re...