The Protection of Personal Information Act (POPIA) applies to any South African business that collects personal information — which, in practice, means almost every business with a customer database, an email list, or staff records. Compliance isn't a single checkbox; it's an ongoing set of practices.
Where most businesses are exposed
- No clear record of what data you hold, where it's stored, and who can access it — the foundational gap that makes everything else harder.
- Third-party data sharing with suppliers or service providers that hasn't been formally assessed or contracted for.
- No documented response plan for what happens if a data breach occurs — POPIA has specific notification obligations, and scrambling to figure them out during an actual incident costs time you don't have.
A practical starting checklist
- Map what personal information you collect, why, and how long you retain it.
- Confirm you have a lawful basis for processing each category of data you hold.
- Put access controls in place so only people who need personal data can reach it.
- Have a written incident response plan, reviewed at least annually.
- Appoint or designate an Information Officer, as POPIA requires.
None of this needs to happen overnight, but it does need to happen deliberately. An audit is the fastest way to see exactly where your business stands today.
IN