Why POPIA matters — even for small businesses
The Protection of Personal Information Act has been enforceable since July 2021 and the Information Regulator is now actively investigating breaches, issuing enforcement notices and levying fines. There is no small-business exemption — if you process a single client's name, email or ID number, you are a "responsible party" and the Act applies.
The good news: compliance is achievable for an SME in a matter of weeks with the right approach. The bad news: most SA businesses have done less than they think.
The 8 conditions for lawful processing
- Accountability — you must be able to prove you comply.
- Processing limitation — collect only what you need, with a lawful basis.
- Purpose specification — collect for a specific, defined reason.
- Further processing limitation — don't repurpose data beyond the original reason.
- Information quality — keep data accurate and up to date.
- Openness — publish a privacy notice; register your Information Officer.
- Security safeguards — technical and organisational controls.
- Data subject participation — people can access, correct and delete their data.
The practical POPIA checklist
Governance (week 1)
- Register your Information Officer with the Information Regulator's online portal.
- Assign at least one Deputy Information Officer if the IO is the CEO.
- Draft and approve a written POPIA policy — 3 to 5 pages, not 40.
- Publish a plain-language privacy notice on your website.
- Publish (or update) your PAIA manual and email a copy to inforeg@justice.gov.za.
Records (week 1–2)
- Create a Record of Processing Activities (RoPA) — one row per system that holds personal info (CRM, payroll, mailboxes, WhatsApp, marketing tools).
- For each: what data, why, lawful basis, retention period, who has access, third-party sharing.
- List every third party you share data with and confirm you have an operator agreement in place with each.
Consent & contracts (week 2)
- Update client contracts to include a POPIA clause and specify you as responsible party.
- Update supplier / operator contracts to include the mandatory POPIA operator clauses.
- Update HR contracts and staff handbook with data-handling obligations.
- Marketing lists: confirm every contact has a lawful basis. Purge anyone who doesn't.
Technical baseline (week 2–3)
- MFA enforced on every business account (email, CRM, accounting, cloud storage).
- Full-disk encryption on every laptop and phone that touches company data.
- Endpoint protection managed centrally, not relying on staff.
- Email filtering with anti-phishing and impersonation protection.
- Backups running, encrypted, and test-restored within the last 90 days.
- Access reviews: who has admin? Reduce to the minimum. Rotate shared passwords.
- Documented offboarding process — access removed within 4 business hours of a leaver's last day.
People (ongoing)
- Annual POPIA awareness training for every staff member — 30 minutes is enough.
- Phishing simulation at least twice a year.
- A named contact for data-subject requests, with a target 30-day turnaround.
Breach response plan (a one-pager)
- Contain — isolate affected systems, revoke tokens, reset passwords.
- Assess — what data, how many people, what risk of harm.
- Notify the Information Regulator as soon as reasonably possible (target 72 hours) using their prescribed form.
- Notify affected data subjects in a plain-language communication describing the breach and the steps they should take.
- Remediate — root cause fix, not just symptom fix.
- Document — full incident record kept for at least 5 years.
Tools we actually use with clients
- Microsoft 365 Business Premium — MFA, Conditional Access, Intune, Defender, encryption, audit log.
- Microsoft Purview — data classification, DLP policies for POPI/PCI content.
- Third-party M365 backup (e.g. Redstor, Dropsuite) — because Microsoft's retention is not backup.
- KnowBe4 or Hoxhunt — for staff awareness and phishing simulation.
- 1Password Business or Keeper — for shared credentials that shouldn't live in a spreadsheet.
- Your ticketing / CRM's audit log — evidence of who touched what data and when.
Frequently asked questions
Does POPIA apply to my small business?
Yes. POPIA applies to any 'responsible party' in South Africa that processes personal information — including a two-person business collecting client names, ID numbers or contact details. There is no size exemption.
What are the penalties for non-compliance?
Administrative fines up to R10 million and, for serious offences, imprisonment up to 10 years. More commonly you'll face reputational damage, client contract losses and mandatory Information Regulator investigations.
Do I need to appoint an Information Officer?
Yes. By default the CEO or head of the business is automatically the Information Officer, but the appointment must be registered with the Information Regulator via their online portal.
What's the difference between POPIA and PAIA?
PAIA (Promotion of Access to Information Act) governs how the public can request records from you; POPIA governs how you protect personal information. You need a PAIA manual and POPIA processes — they're separate but related.
How long do I have to report a data breach?
'As soon as reasonably possible' after becoming aware — in practice, within 72 hours to both the Information Regulator and to affected data subjects, unless law enforcement instructs a delay.
Do we need consent for every email we send?
Direct marketing to a person you've never dealt with requires opt-in consent. Existing customers can be marketed related products under a soft opt-in with a clear opt-out. B2B is more permissive but the same principles apply.
How do we handle client data on staff laptops?
Encrypt every device (BitLocker on Windows, FileVault on Mac), enforce MFA, enrol into MDM (Intune), and have a documented remote-wipe process for lost devices. This is the minimum defensible position.
