POPI Compliance For South African Businesses

POPIA compliance affects every part of how South African businesses manage personal data. It requires more than written policies. Businesses must know what information they collect, why they collect it, and how it is stored and shared. This includes appointing an Information Officer, training staff, and maintaining clear processes for access, correction, and breach response. Penalties for non-compliance include fines, civil claims, and reputational harm, making data protection a critical part of day-to-day operations.

South African businesses are legally required to protect the personal information they collect and manage. The Protection of Personal Information Act (POPIA) outlines the conditions under which this information must be processed. POPI compliance is not optional. It is a statutory obligation that affects how companies gather, use, store, and share data. At TAT Accountant, we work closely with clients to navigate the complexities of POPIA and put practical, tailored measures in place to meet the Act’s requirements.

Data Protection In South Africa

The way personal data is collected, stored, and used can affect both the rights of individuals and the legal standing of a business. POPIA was introduced to create clear, enforceable standards for how information must be handled. For companies operating in South Africa, understanding this legislation is essential for compliance, risk reduction, and responsible business practices.

What Is POPIA?

The Protection of Personal Information Act (POPIA), also known as Act 4 of 2013, is South Africa’s data protection law. It sets out clear rules for how personal information must be collected, stored, used, and shared by both public and private entities.

Although the Act was signed into law in 2013, it was implemented in stages. Administrative sections came into effect on 11 April 2014 to allow for the appointment of the Information Regulator. The rest of the Act commenced on 1 July 2020, followed by a one-year compliance period. From 1 July 2021, enforcement became active and binding.

POPIA applies to any organisation that processes personal information, including names, contact details, identity numbers, biometric data, opinions, and other information that can be linked to a person or legal entity. This includes client records, employee files, CRM systems, website forms, and supplier databases.

Oversight is handled by the Information Regulator, an independent statutory body. It has the authority to investigate complaints, conduct compliance assessments, issue enforcement notices, and refer matters for prosecution. Non-compliance may lead to administrative fines up to R10 million, civil claims, or criminal charges in serious cases.

Whether you are a sole trader or a national company, if you handle personal information in any form, POPIA applies to you.

POPIA Vs PAIA

While POPIA focuses on protecting personal information, the Promotion of Access to Information Act (PAIA), enacted in 2000, has a different goal. PAIA is about access, giving people the right to request information held by the state or private bodies where that information is needed to exercise or protect a right.

The key distinction is that:

• POPIA regulates the collection and processing of personal data, ensuring that privacy is respected.
• PAIA enables individuals to access information, even if that information is held by private companies, provided the request meets certain criteria.

Although the two laws serve different purposes, they are closely linked. The Information Regulator is responsible for overseeing both, and businesses are required to comply with both Acts. For example, under PAIA, all private companies must publish a PAIA manual outlining how access to records can be requested. That same business must also meet POPIA’s conditions for protecting any personal information it holds.

In practice, POPIA and PAIA form two sides of the same coin: one protects personal data, the other supports transparency.

What Is Personal Information?

POPIA takes a broad view of what qualifies as personal information. It includes obvious details like names and ID numbers, but also covers information that is often overlooked, such as opinions, preferences, and even company data in some cases.

Personal Data Examples

POPIA covers any information that relates to an identifiable, living person. This includes:

• Full names, ID or passport numbers
• Contact details such as email addresses or phone numbers
• Physical addresses or location data
• Employment, financial, or medical history
• Biometric information such as fingerprints or facial recognition
• Personal views, preferences, or confidential correspondence
• Online identifiers like IP addresses or device IDs

Even a single piece of information may be protected if it can identify someone, especially when combined with other data.

Business And Company Examples

The Act also applies to juristic persons, including companies and other registered entities. Business-related information is protected when it identifies a specific organisation.

Examples include:

• Company registration or VAT numbers
• Internal communications or proprietary documents
• Financial records shared with third parties
• Contracts and supplier data containing identifiable information

This matters for any business handling client or supplier data, especially in accounting, legal, or financial contexts.

8 Conditions For Lawful Processing

POPI compliance is built around eight conditions that set the standard for how personal information must be handled. These conditions apply to any organisation processing data in South Africa, whether for HR, marketing, customer service, or internal records. They form the basis for compliance and help clarify what responsible data management looks like in practice.

1. Accountability

The business collecting or managing personal information is responsible for complying with all POPIA requirements. This responsibility cannot be transferred to third parties, even if they process data on your behalf.

Example: If you use a payroll service provider, you must still check that their data handling practices meet POPIA standards.

2. Processing Limitation

Information may only be collected and used in lawful, reasonable, and minimal ways. You must have a valid reason for processing the data, and only collect what is necessary.

Example: If you collect customer contact details for billing, you cannot use that same data for unrelated marketing without consent.

3. Purpose Specification

You must clearly define why you are collecting information and only use it for that specific purpose. Individuals must be informed of this purpose at the time of collection.

Example: If you ask employees for medical information to manage sick leave, that data cannot be used for performance reviews.

4. Further Processing Limitation

If you use the information beyond its original purpose, that further use must still be compatible with the reason it was collected.

Example: Reusing supplier details for an unrelated project would require checking that the new purpose is still in line with the original consent or agreement.

5. Information Quality

Reasonable steps must be taken to keep personal information accurate, complete, and up to date, especially if decisions will be made based on that information.

Example: Keeping outdated contact details for clients may lead to errors in billing or delivery, and could be a compliance risk.

6. Openness

Data subjects must be informed when their information is collected, including what will be collected, why, and who will have access to it.

Example: A website collecting personal details through a contact form should include a privacy notice that outlines how the data will be used.

7. Security Safeguards

You must take appropriate steps to protect personal information from loss, theft, or unauthorised access. This includes both digital and physical records.

Example: Secure cloud storage, password protection, staff access controls, and locking paper records in filing cabinets are all part of this principle.

8. Data Subject Participation

Individuals have the right to access their personal information, correct or delete it, and object to how it is being used in certain cases.

Example: A client can request a copy of the information you hold about them and ask for corrections if it is incorrect or outdated.

Key Steps To Achieve POPI Compliance

Meeting POPI compliance requirements starts with understanding your current data practices and building structured processes around them. Below are the core steps every business should take to comply with the Act and reduce risk when handling personal information.

Appoint And Register An Information Officer

Every business must appoint an Information Officer, who is responsible for driving POPI compliance. This role usually defaults to the CEO or managing director, but deputies can also be appointed.

• Register the Information Officer with the Information Regulator using the prescribed online process.
• Responsibilities include developing a compliance framework, managing data subject requests, liaising with the Regulator, and overseeing internal training.
• The Information Officer must also ensure that the company has an updated PAIA manual and an accessible privacy policy.

Map Out And Classify Personal Information

You need to understand what personal data your business collects, stores, shares, and deletes.

• Compile a full inventory of personal and special personal information processed by your business.
• Identify sources of data (e.g. clients, suppliers, staff) and methods of collection (e.g. online forms, HR systems).
• Classify sensitive data such as health records, biometric data, and criminal history separately, as these carry stricter compliance duties.

Audit Data Processing Activities

Review how personal information flows through your business:

• List who collects and processes data, where it is stored, and how it is shared internally or externally.
• Examine all platforms, systems, and paper records involved in collecting or storing personal information.
• Update any agreements with third-party service providers to include POPIA-compliant data processing clauses.

Develop Or Update Internal Policies

Your internal documents must reflect POPIA obligations clearly.

• Draft or revise your privacy policy, data retention policy, and breach response plan.
• Include details on the legal basis for processing, consent requirements, and how data subjects can exercise their rights.
• Make sure your PAIA manual is updated to include all required details and is easily accessible to the public.

Train Staff And Build Internal Awareness

Employees need to understand their role in protecting personal information.

• Run training sessions on proper handling of personal data, including practical scenarios such as emailing sensitive documents or responding to data requests.
• Make sure staff understand what to do in case of a data breach or accidental disclosure.

Implement Security Measures

Both technical and organisational safeguards must be in place.

• Secure access to data through encryption, passwords, physical locks, and permission controls.
• Regularly test for vulnerabilities and document how risks are monitored and managed.
• Keep backups and recovery processes documented and accessible only to authorised staff.

Manage Retention And Disposal Of Data

Personal information should only be kept for as long as necessary.

• Define clear retention periods in your data retention schedule.
• Destroy or de-identify personal information once its purpose has been fulfilled, unless you have legal grounds to keep it.
• Make sure backup systems and archives are also purged regularly.

Create A Process For Data Subject Requests

POPIA gives people the right to access, correct, delete, or object to the use of their personal information.

• Set up a standard process for handling access and correction requests.
• Include this process in your privacy notice and PAIA manual.
• Track all incoming requests and ensure they are actioned within reasonable timeframes.

Rights Of Data Subjects

POPIA gives individuals specific rights over how their personal information is handled. These rights apply to anyone whose data your business collects or processes, including clients, staff, and third parties.

The Right To Be Informed

Individuals must be notified when their data is collected. This includes the reason for collection, how it will be used, who it may be shared with, and what their options are. If a breach occurs, they must also be informed.

The Right Of Access

Any person may request access to the personal information you hold about them. They can also ask which third parties have received that information.

The Right To Correction Or Deletion

If data is incorrect, outdated, or no longer necessary, individuals have the right to request that it be updated or removed. These requests must be handled promptly and documented.

The Right To Object Or Withdraw Consent

In certain cases, individuals can object to the processing of their data—for example, when it’s used for direct marketing. If consent was the legal basis for processing, they may withdraw it at any time.

The Right To Complain

If someone believes their personal information has been misused, they can submit a formal complaint to the Information Regulator.

Consequences Of POPIA Non-Compliance

POPI Compliance is not a guideline. It is a binding law, and businesses that fail to comply face a range of consequences that can affect finances, operations, and long-term reputation. The risk applies whether the breach is accidental, negligent, or deliberate.

Financial And Criminal Penalties

The Information Regulator may issue administrative fines of up to R10 million for breaches of the Act. These fines are applied per offense and may increase depending on the scale and severity of the violation.

In more serious cases, non-compliance may lead to criminal charges. Offenses such as obstructing an investigation, destroying evidence, or knowingly misusing personal data can result in imprisonment of up to ten years. Company directors, officers, or employees may be held personally liable in certain circumstances.

Civil Claims From Data Subjects

Any person who suffers harm due to the unlawful processing of their personal information has the right to seek compensation. Claims can include financial loss, emotional distress, or reputational damage caused by the breach.

Unlike some other forms of liability, POPIA does not require proof of intent. Even unintentional breaches, such as failing to secure data or disclosing information in error, can lead to claims if harm is proven.

Regulatory Investigations And Audits

When complaints are filed, the Information Regulator has the authority to conduct audits or launch investigations. This process may require businesses to hand over records, respond to formal inquiries, or implement corrective actions within tight timeframes.

Failure to cooperate during these processes may result in enforcement notices or further legal action.

Reputational And Operational Risk

Beyond legal penalties, a breach of POPIA obligations can damage the trust of clients, suppliers, and staff. Public disclosure of non-compliance may impact customer retention, reduce referral business, and harm relationships with partners or investors.

Operational disruption is also a risk. Investigations often divert internal resources, while compliance failures may require emergency changes to systems, processes, or staff responsibilities – typically under pressure and at high cost.

Frequently Asked Questions

Does POPIA Apply To Small Businesses?

Yes. POPIA applies to all South African businesses, regardless of size. If your business collects, stores, or processes any personal information – whether from clients, staff, or suppliers – you are required to comply.

Do I Need To Get Consent For Every Type Of Data Processing?

Not always. Consent is one lawful basis for processing, but POPIA also allows processing when it is necessary to carry out a contract, comply with legal obligations, or protect a legitimate interest. However, for direct marketing and some types of sensitive data, explicit consent is required.

What Is “Special Personal Information” Under POPIA?

Special personal information includes data about a person’s race, health, biometric data, religious beliefs, political views, sex life, or criminal history. This type of data is subject to stricter rules and may only be processed under limited conditions.

How Do I Know If I’m A “Responsible Party”?

A responsible party is the person or organisation that determines why and how personal information is processed. If your business decides what data to collect and what to do with it, you are the responsible party under POPIA—even if another company processes the data on your behalf.

What Happens If Someone Requests Access To Their Information?

You must respond within a reasonable time, providing a copy of the personal information you hold and explaining how it is used. If the information is inaccurate, the data subject has the right to request corrections or deletion.

Do I Need To Report A Data Breach?

Yes. If personal information has been accessed or disclosed without authorisation, and there is a reasonable risk of harm, you are required to notify both the Information Regulator and the affected individuals as soon as reasonably possible.

Is POPIA Compliance A Once-Off Task?

No. Compliance is ongoing. Businesses must keep policies and practices up to date, review contracts regularly, train staff, and monitor how information is processed and protected.

How TAT Accountant Can Help

Our team works with clients to make POPIA compliance manageable. From creating tailored data protection policies to offering training and support, our goal is to help you meet the legal requirements without disrupting your operations.

If you’re unsure where to begin, contact us and we can guide you through a POPIA readiness assessment and help implement practical changes that reduce risk and improve transparency.