Protection Of Personal Information Act
South Africa’s data protection law, POPIA, is not optional. Compliance comes from responsible data handling.
“If you want to be trusted, be trustworthy.”
Stephen R. Covey
Your POPIA Companion
Note, this isn’t a legal textbook. It’s your hands-on guide to navigating POPIA to build confidence and get things done.
Understanding the Basics
POPIA governs how you collect, use, store, and share the personal information entrusted to your business. Think of it as building trust with a clear set of rules.
Who POPIA Applies To
POPIA applies to all businesses, regardless of size.
That includes 🫵:
- Sole proprietors
- Startups and SMEs
- Online businesses
- NGOs and NPOs
If you store personal information on your phone, laptop, email system, WhatsApp, or in the cloud — POPIA applies to your business.
✏️ Tick any boxes that apply to your business:
🔲 You have customer contact details (email, phone, address).
🔲 You collect information on your website (e.g., via contact forms or analytics).
🔲 You have employees or contractors.
🔲 You keep supplier or partner contact information.
🔲 You send newsletters, promotional offers, or marketing messages.
If you ticked any box, POPIA applies to you.
⚠️ As a business owner, POPIA places the responsibility squarely with you:
- You are accountable for how personal data is collected
- You are accountable for how it’s stored
- You are accountable for how it’s used and protected
Even if you use third-party tools or service providers, the responsibility doesn’t disappear. And penalties for non-compliance include administrative fines of up to R10 million, civil claims from affected individuals, and (often the biggest risk for SMEs) reputational damage.
Pinpointing Personal Information
Personal information is broader than you might think! It relates to any data that can identify a person. This includes:
- Names and surnames
- Email addresses and phone numbers
- ID numbers and physical addresses
- Banking and payment details
- Employee records
- Even online data like IP addresses and website tracking
If it points to a real person, POPIA cares about it.
Bear in mind that you could be storing personal information across digital tools, cloud services, physical files, messaging apps, and operational systems.
The 8️⃣ Conditions for Lawful Processing
These are your compliance pillars which you should know well:
1️⃣ Accountability
- You are responsible for POPIA compliance in your business.
The buck (or ten million) stops with you!
2️⃣ Processing Limitation
- Only collect data that is necessary
- Must have consent, a contract, or legal obligation
📌 Review your sign-up/order forms and remove any unnecessary fields (e.g., do you really need a title or date of birth?)
3️⃣ Purpose Specification
- Clearly state why you are collecting the data
- Don’t reuse data for unrelated purposes
📌 Document the specific reason for each type of data you collect (e.g., “email address to send order confirmation and receipt”)
4️⃣ Further Processing Limitation
- Any further use must be compatible with the original purpose
For example, you can’t use a customer’s email from a sale to sign them up for your newsletter without new consent.
5️⃣ Information Quality
- Keep data accurate, complete, and up to date
📌 Schedule a quarterly check to update or clean your contact lists.
6️⃣ Openness
- Be transparent
- Have a clear Privacy Policy
- Tell people what data you collect and why
📌 Create or update your Privacy Policy
7️⃣ Security Safeguards
- Protect data from loss, leaks, or unauthorised access
- Use passwords, access controls, encryption where appropriate
📌 Enable two-factor authentication on all business cloud accounts (email, storage) this week.
8️⃣ Data Subject Participation
- People have the right to:
Access their data
Correct their data
Request deletion
Object to marketing
- Ensure your contact details are visible so people can ask for their data, correct it, or request deletion.
The Marketing and Consent Hotspot
⛔ You may not send direct marketing (email, SMS, WhatsApp broadcasts) without the person’s consent.
For example:
New Leads: You met someone at a networking event and got their card.
Can you add them to your newsletter? No. You need their specific, clear consent for that purpose.
Existing Customers: Someone bought a laptop from your shop.
Can you email them about a new laptop accessory? Yes, likely. This is the “similar products/services” exception. BUT you must include a clear and free way to opt-out of future marketing in every message.
🚩 Never use purchased, scraped, or rented contact lists. This is a high-risk path to penalties.
Your Digital Front Door – Website Compliance
If you have a website, you must:
- Disclose:
- What data you collect
- Why you collect it
- How long you keep it
- Who you share it with
- Be upfront about cookies and tracking tools
- Make it easy for people to ask about their data or submit requests
- Display a Privacy Policy (Addressing the points above makes this a breeze!)
When Things Go Wrong
A data breach could be a lost laptop, a hacked email account, or an accidental email to the wrong person.
Your Response Plan:
📦 Contain: Act immediately to stop the breach (e.g., remotely wipe the lost device).
🔎 Assess: Determine the scale and risk.
🗣️ Notify: If there is a real risk of harm, you must:
Notify the affected individuals.
Notify the Information Regulator.
📝 Document: Keep a record of what happened and the steps you took.
Remember: Covering it up or delaying makes penalties much worse.
POPIA is not optional. But for the savvy entrepreneur, compliance is less about red tape and more about building a trustworthy, secure business.
Simple systems + transparency = your strongest compliance foundation.
Let’s build businesses that respect and protect.
Next ➡️
Complete the quiz below to access your complimentary Privacy Policy guidelines.