POPIA compliance checklist for South African businesses

ITHQ 9 min read Compliance
compliancegovernancesecurityrisk

The Protection of Personal Information Act (POPIA) is not new - it has been fully enforceable since 1 July 2021 - but many South African businesses are still working toward meaningful compliance. The Information Regulator has begun issuing enforcement notices and penalties, and the risk of non-compliance is no longer theoretical.

This article provides a practical checklist that covers what POPIA requires and what you need to do about it. It is aimed at business leaders and IT managers, not lawyers, though you should involve legal counsel for the specifics of your situation.

Understanding POPIA in plain language

POPIA regulates how organisations collect, store, process, and share personal information. “Personal information” is defined broadly - it includes names, contact details, ID numbers, financial records, employment history, biometric data, and any information that can identify a natural or legal person.

If your business holds data about employees, customers, suppliers, or any other individual, POPIA applies to you. There are very few exemptions.

The eight conditions for lawful processing

POPIA establishes eight conditions that must all be met when processing personal information.

1. Accountability

The responsible party (your organisation) must ensure that all eight conditions are complied with. This means appointing someone to take ownership of data protection and ensuring policies, processes, and controls are in place.

Checklist items:

  • Designate a senior person responsible for POPIA compliance
  • Establish a data protection governance framework
  • Document your compliance programme and maintain evidence of ongoing efforts
  • Include data protection obligations in supplier and employment contracts

2. Processing limitation

Personal information may only be processed in a lawful manner, for a legitimate purpose, and only to the extent necessary. You must have a legal basis for every processing activity.

Checklist items:

  • Identify all personal information your business collects and processes (data mapping)
  • Document the legal basis for each processing activity (consent, contract, legal obligation, legitimate interest, etc.)
  • Review consent mechanisms - consent must be voluntary, specific, and informed
  • Ensure you are not collecting more data than necessary for the stated purpose
  • Implement processes to handle objections to processing

3. Purpose specification

Personal information must be collected for a specific, explicitly defined, and lawful purpose. It may not be retained longer than necessary or used for a purpose other than what it was collected for.

Checklist items:

  • Define and document the purpose for each category of personal information you collect
  • Include clear purpose statements in privacy notices and consent forms
  • Implement data retention schedules that define how long each category of data is kept
  • Establish procedures to securely destroy or de-identify data once the retention period expires

4. Further processing limitation

If you want to use personal information for a purpose different from the one it was originally collected for, you must ensure the new purpose is compatible with the original.

Checklist items:

  • Assess compatibility before using personal information for new purposes
  • Obtain fresh consent where the new purpose is not compatible
  • Document decisions and reasoning for compatibility assessments

5. Information quality

You must take reasonable steps to ensure personal information is complete, accurate, not misleading, and up to date.

Checklist items:

  • Implement processes for data subjects to update their information
  • Periodically review and clean databases for accuracy
  • Validate data at the point of collection where practical

6. Openness

You must notify data subjects about the collection of their personal information and be transparent about how it is used.

Checklist items:

  • Publish a comprehensive privacy policy on your website
  • Provide privacy notices at each point of data collection (forms, sign-up pages, contracts)
  • Ensure privacy notices include: what data is collected, the purpose, who it may be shared with, how long it is retained, and how data subjects can exercise their rights
  • Register with the Information Regulator if required (responsible parties processing high volumes of sensitive data)

7. Security safeguards

You must implement appropriate technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing.

This is where your IT strategy directly intersects with compliance. Effective security safeguards include:

Technical controls:

  • Encrypt personal information in transit (TLS/SSL) and at rest
  • Implement access controls - only authorised personnel should access personal data
  • Deploy identity and access management solutions with multi-factor authentication
  • Maintain endpoint protection (anti-malware, EDR)
  • Implement network security controls (firewalls, intrusion detection, segmentation)
  • Ensure regular, tested backups of systems containing personal information
  • Monitor for security events through a security operations capability

Organisational controls:

  • Conduct security awareness training for all employees
  • Implement a clear desk and clear screen policy
  • Establish an acceptable use policy for IT systems
  • Include data protection clauses in contracts with third-party processors (IT vendors, cloud providers, outsourced services)
  • Conduct due diligence on third-party processors to verify their security posture

8. Data subject participation

Data subjects have the right to request access to their personal information, to request correction or deletion, and to object to processing.

Checklist items:

  • Establish a process to receive and respond to data subject requests within the timeframes prescribed by POPIA (generally, acknowledge receipt and respond within a reasonable period)
  • Designate a contact point for data subject requests (typically the Information Officer)
  • Ensure your systems can locate and extract all personal information held about a specific data subject
  • Implement procedures to correct, delete, or restrict processing upon valid request

Appointing an Information Officer

Every responsible party under POPIA must have an Information Officer. By default, this is the head of the organisation (CEO, managing director, etc.), but you should formally designate someone with the authority and knowledge to manage compliance.

Checklist items:

  • Formally appoint an Information Officer and register them with the Information Regulator
  • Consider appointing Deputy Information Officers in larger organisations or multi-site businesses
  • Ensure the Information Officer has adequate resources, training, and authority
  • Publish the Information Officer’s contact details on your website and in privacy notices

Breach notification

Section 22 of POPIA requires you to notify the Information Regulator and affected data subjects when there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person.

Checklist items:

  • Establish an incident response procedure that includes breach assessment and notification
  • Define criteria for determining whether a breach is notifiable
  • Prepare notification templates for the Information Regulator and affected data subjects
  • Notify as soon as reasonably possible after discovery - POPIA does not specify an exact timeframe, but the Regulator expects prompt notification
  • Document all breaches, whether notifiable or not, and the decisions made

Cross-border transfers

POPIA restricts the transfer of personal information to countries that do not provide an adequate level of data protection. This is relevant if you use cloud services hosted outside South Africa or share data with international partners.

Checklist items:

  • Identify all cross-border data flows (including cloud storage, SaaS applications, and international vendors)
  • Verify that the recipient country provides adequate protection, the recipient is bound by a binding agreement, or the data subject has consented
  • Include data transfer clauses in contracts with international service providers
  • Consider data localisation options for particularly sensitive information

Practical steps to get started

If your compliance programme is still in its early stages, prioritise these actions:

  1. Conduct a data mapping exercise. Understand what personal information you hold, where it resides, who has access, and how it flows through your organisation. You cannot protect what you do not understand.

  2. Appoint your Information Officer and register with the Information Regulator.

  3. Publish a privacy policy that meets the openness condition. Many South African businesses still operate without one.

  4. Review your security controls. Work with your IT governance, risk, and compliance partner to assess whether your technical and organisational safeguards meet the standard POPIA expects.

  5. Implement a data subject request process. Even a simple email workflow is better than nothing.

  6. Train your staff. Every employee who handles personal information needs to understand their responsibilities.

  7. Review third-party contracts. Ensure your suppliers and service providers have appropriate data protection obligations.

Common pitfalls

  • Treating POPIA as a once-off project. Compliance is ongoing. Processes, policies, and training must be maintained and updated as your business and the regulatory environment evolve.
  • Focusing only on customer data. Employee data is equally protected under POPIA. HR processes, payroll, and performance records all fall within scope.
  • Relying on consent alone. Consent is one legal basis for processing, but it is not always the most appropriate. Contractual necessity, legal obligation, and legitimate interest are often more sustainable bases.
  • Ignoring third-party risk. You remain accountable for personal information even when a third party processes it on your behalf.

Moving toward compliance

POPIA compliance is not about perfection on day one. It is about demonstrating a genuine, documented effort to protect personal information. Start with the highest-risk areas, build momentum, and improve continuously.

Get in touch to discuss how we can help you assess your current compliance posture and implement the technical and governance controls your business needs.

Need help with compliance?

Our team can help you implement the solutions discussed in this article.

Get in touch