In the news


Most Read

  • ADNA launches in Cape Town
    Creative intelligence group, ADNA (Audience DNA) is expanding into Africa with their new regional headquarters in Cape Town. The agency officially launched here in January this year with a full-service team including data, creative and strategic consultancy, consumer and market insights.
  • Nestlé Cremora remakes iconic 'it's not inside, it's on top' ad
    Much like its iconic advert 'it's not inside, it's on top' which portrayed an insightful observation of people's responses from all races, ages and genders; Nestlé Cremora, a local favourite coffee and tea creamer, remains an unforgettable brand, more so in light of its strong heritage with South African consumers.
  • Telkom announces a new CEO
    Telkom has announced that Serame Taukobong, the company's current CEO of the Telkom Consumer Business and a group executive committee member, has been appointed as its new group CEO, effective 1 October. Taukobong will take up the position on 1 July 2022.
  • Homegrown battery manufacturer secures R20m investment
    Boost for local champion bringing innovative, local and trusted battery storage solutions for African energy needs
    Issued by Edge Growth
  • RIP Cyril Vuyani Gamede
    The Construction Industry Development Board (CIDB) has announced the passing of its CEO, Cyril Vuyani Gamede, who died at the age of 58 on 1 August.
  • Caltex rebrands to Astron Energy
    Astron Energy has announced the details of rebranding Caltex stations across South Africa and Botswana.
Show more
Advertise on Bizcommunity

Subscribe to industry newsletters

Hospitality and leisure industry: 6 steps to PoPIA compliance

We all hope for more travel and tourism soon. Hospitality players waiting for the big travel surge should use this time to ensure that they understand the requirements of the Protection of Personal Information Act (PoPIA) within their industry.
© haveseen -

South Africa boasts luxury hotels and resorts, game reserves, wine estates, affordable B&B's, golf courses, mountains, forests, golden beaches. It's no wonder that we are a destination of choice for keen travellers in and abroad.

Be it for work or play, from the moment travellers arrive at your reception desk, their comfort and happiness are largely your responsibility.

That’s not, however, where your responsibility ends. With the introduction of the Protection of Personal Information Act (PoPIA), which comes into full force on 1 July 2021, businesses in the hospitality industry take on a new set of responsibilities to protect their guests’ personal information.

Most of the big players in hospitality in South Africa have already had to deal with the EU’s General Data Protection Regulation (GDPR), which was introduced in 2016 and requires businesses to take measures to protect the personal data of EU citizens.

GDPR and PoPIA are similar, so some businesses will be prepared for PoPIA, while some of the smaller establishments, may not be. But there are some surprises lying in wait for even the big players, despite their international experience as PoPIA has some unique elements not covered by the GDPR.

  1. Responsibility for booking agents

  2. The keen travellers probably made their reservations using an online booking site, such as,, or Travelstart. Travelstart, based in Cape Town, describes itself as Africa’s leading online travel agency.

    Behind the initial booking site, there may be other parties handling your guests’ information. Under PoPIA, each hospitality player will be responsible for safeguarding the information that all its agents, acting on its behalf, are collecting, and you need to identify all the parties in this chain. If one of your booking agents sells or shares your guests' information to a third party without permission, or starts sending them spam, your business is in breach of PoPIA, as well as theirs.

    Your business should have a PoPIA addendum to existing contracts with all its agents and new contracts should contain a PoPIA clause. All those parties need to agree to abide by certain conditions. They cannot be passively “opted in”. A hospitality business is well within its rights to require its agents to submit to an investigation of their systems and processes to ensure they are PoPIA-compliant.

  3. What kind of information is this?

  4. When the travellers made their reservations, they would have supplied details personal to them such as passport or ID numbers, credit card details, telephone numbers, addresses and possibly even car registration numbers. What level of protection does this information require?

    PoPIA defines different categories of personal information: personal information (such as ID and passport numbers and credit card details), special personal information (highly sensitive, such as race, health and biometric information), and information that is not personal, so does not fall under the Act. There are more safeguards for special personal information than there are for personal information, but safeguarded the information shall be.

  5. Are we accumulating too much information?

  6. The keen travellers have now waved you a fond farewell (and hopefully left a generous tip). For how long are you going to keep their details on file?

    Minimality is key - businesses should not collect more personal information than is required. "Personal information" is defined very broadly to mean any information that can be used to identify an individual person or another business entity. So how much do you really require?

    You also need to question why you are keeping personal information (is it necessary for legal purposes?) and if there is no good reason, it must be disposed of in a secure manner. This is important, because under PoPIA, even the keenest traveller has a right to be forgotten.

  7. How secure is this information?

  8. Taking all reasonable steps to safeguard the personal information in your possession is a critical element in both the GDPR and PoPIA – as the Marriott Hotel Group found out to its cost in 2018.

    Marriott discovered that cybercriminals had hacked its global reservation database and accessed customer credit card and other personal details, involving 339 million people. This had been happening since 2014. Marriott was fined GBP18.4 million in October 2020 and a class action-style suit has been launched in the UK. While the cost in money must certainly hurt, a reputational hit often hurts more.

    PoPIA requires a business to put in place "appropriate, reasonable technical and organisational measures" to prevent loss, theft or damage to personal information.

  1. Is this information travelling overseas, too?

  2. If your hospitality extends to international partners and loyalty programmes, it is quite likely that you are sharing your guests’ personal information outside South Africa. PoPIA has specific requirements for sharing information outside South African borders.

  3. And on the subject of loyalty...

  4. Much as you hope to see the travellers again and remind them of the great time they had with you, or want to entice new travellers to enjoy your generous hospitality, some of the ways you treat returning or new guests need to be handled very carefully from now on.

    Unless a person is an existing guest who willingly receives your marketing - under PoPIA, a business cannot send electronic marketing information without first getting consent. Any request for marketing consent must include language that is set out in the Regulations to PoPIA.

A post-Covid, in-PoPIA future

We all hope to travel more, and venture abroad again, once the worst of the Covid-19 pandemic is past. For a hospitality player, the Covid-induced lull may provide some breathing space to get PoPIA compliance in check and, if necessary, take legal advice on measures to put in place urgently.

About the author

Lisa Swaine and Wendy Tembedza From Webber Wentzel

Let's do Biz