Skip to main content
Komply
Guide4 July 2026 · 11 min read

POPIA compliance: the complete guide for South African businesses

By Matt Owen, CA(SA) — founder, Komply

The Protection of Personal Information Act has been enforceable in full since 1 July 2021, and the Information Regulator is no longer a body that only writes guidance notes. It investigates, it issues enforcement notices, and it has the power to fine a responsible party up to R10 million. For a South African business, POPIA is not a policy to file away after a once-off audit. It is a standing legal obligation that touches almost every function in the business — HR records, marketing lists, customer databases, CCTV footage, even the contact form on your website.

This guide sets out what POPIA actually requires, in the order a compliance officer, CFO, or business owner needs to think about it: what the Act covers, who it applies to, the eight conditions that define lawful processing, what the Regulator can do to you, and how to build a programme that holds up when someone asks you to prove it.

What POPIA is and why it exists

POPIA — the Protection of Personal Information Act 4 of 2013 — gives effect to the constitutional right to privacy (section 14 of the Constitution) by regulating how personal information is collected, used, stored, and shared. It was signed into law in 2013, but its substantive provisions (including the eight conditions for lawful processing) only commenced on 1 July 2020, with a one-year transition period that gave organisations until 30 June 2021 to become compliant. That grace period is over. Full compliance has been mandatory since 1 July 2021.

Three roles anchor the Act, and the vocabulary matters because it determines whose obligation is whose:

  • Responsible party — the person or organisation that determines the purpose and means of processing personal information. In most B2B and B2C contexts, this is your business.
  • Operator — anyone who processes personal information on behalf of a responsible party (a payroll bureau, an email platform, a cloud hosting provider). Operators have their own statutory duties, discussed below.
  • Data subject — the person the information is about: your customer, your employee, your website visitor.

Who POPIA applies to

This is the point businesses most often get wrong: POPIA is not revenue-gated, sector-gated, or optional for small operators. If your organisation processes personal information — and almost every organisation does, whether that’s an employee database, a customer mailing list, or a CRM — POPIA applies to you. There is no small-business exemption. A five-person business collecting customer email addresses carries the same section 19 security-safeguards obligation as a listed bank, even if what “appropriate and reasonable” looks like will differ sharply between the two (more on that in the section 19 deep dive below).

The Act also has reach beyond South African-registered entities: it applies to processing carried out in South Africa, and to responsible parties outside the country that use automated or non-automated means located in South Africa to process personal information (unless that equipment is only used to forward information through the country). For most domestic SA businesses this is academic — you’re in scope regardless — but it matters if you process South African customer data from an offshore entity.

The eight conditions for lawful processing

POPIA’s operative core is Chapter 3: eight conditions a responsible party must satisfy for processing to be lawful. Every compliance question ultimately resolves to one of these eight.

#ConditionSectionsWhat it requires
1Accountabilitys8The responsible party owns compliance with all eight conditions — this can’t be delegated away.
2Processing limitationss9–12Processing must be lawful, minimal, and either consented to or otherwise justified (contract, legal obligation, legitimate interest).
3Purpose specificationss13–14Collect for a specific, defined purpose; don’t retain longer than that purpose requires.
4Further processing limitations15Using information for a new purpose must be compatible with the original purpose it was collected for.
5Information qualitys16Personal information must be kept complete, accurate, and up to date.
6Opennessss17–18Maintain required documentation and notify data subjects, at the point of collection, what you’re collecting and why.
7Security safeguardsss19–22Secure the integrity and confidentiality of personal information through appropriate technical and organisational measures.
8Data subject participationss23–25Data subjects can request access to, correction of, or deletion of their information.

Condition 7 gets disproportionate attention in this guide, and for good reason: it’s the condition most directly tied to a business’s technical infrastructure, the one most commonly cited in enforcement action, and the one this guide’s companion piece is dedicated to.

Security safeguards: Condition 7 in focus

Section 19 requires a responsible party to secure the integrity and confidentiality of personal information by taking “appropriate, reasonable technical and organisational measures” to prevent loss, damage, or unauthorised access. It doesn’t hand you a checklist — it hands you a four-part test: identify reasonably foreseeable risks, put safeguards in place against them, verify regularly that those safeguards actually work, and update them as circumstances change (s19(2)).

Sections 20 and 21 extend the same discipline to anyone processing information on your behalf — your payroll bureau, your email platform, your outsourced call centre — via a mandatory written agreement. Section 22 then closes the loop: if you suffer a security compromise, you must notify the Information Regulator and affected data subjects as soon as reasonably possible.

We’ve written a full breakdown of what this actually means in practice — the four-part test, the operator-agreement duty, and where continuous compliance monitoring ends and hands-on security testing begins — in POPIA §19: what “appropriate security safeguards” actually requires. If your immediate question is “am I actually secure enough,” that piece — and Deep Scan’s exploit-confirmed web-application scan — is the next stop.

The Information Regulator: enforcement is real

POPIA created the Information Regulator, a statutory body with the power to receive and investigate complaints, issue enforcement notices, and — since the Act came into full effect — impose administrative fines. Two provisions carry the financial weight:

  • Section 109 — the Regulator may impose an administrative fine of up to R10 million, taking into account the nature of the personal information involved, the number of data subjects affected, the likelihood of harm, and whether the contravention was preventable.
  • Section 107 — for the more serious statutory offences (obstructing the Regulator, ignoring an enforcement notice, unlawfully obtaining or disclosing account numbers), the courts can impose a fine and/or imprisonment of up to 10 years. Lesser offences carry a maximum of 12 months.

A responsible party cannot be hit with both an administrative fine and a criminal charge arising from the same facts — but the exposure either way is real, and the Regulator has shown it will use these powers.

Data subject rights

Condition 8 gives every data subject a working set of rights, and Condition 6 (Openness) requires you to tell them about the processing in the first place:

  • Right to be notified(s18) — informed, at or before collection, what’s being collected and why.
  • Right of access (s23) — to request a copy of the personal information you hold about them.
  • Right to correction or deletion(s24) — to have inaccurate information corrected, or information that’s no longer necessary deleted.
  • Right to object (s11(3)) — to object to processing based on legitimate interest.
  • Right to complain (s73) — to lodge a complaint with the Information Regulator.

In practice, this means every business needs a clear, working channel for data subject requests — not just a clause in a privacy policy nobody has tested.

Breach notification duties

Section 22 requires notification of the Information Regulator and affected data subjects “as soon as reasonably possible” after a security compromise where there are reasonable grounds to believe personal information has been accessed by an unauthorised person. Unlike the GDPR’s fixed 72-hour clock, POPIA doesn’t set a hard numeric deadline — the standard is reasonableness, which is a lower bar to miss on a technicality but a harder one to defend after the fact if you sat on a known breach. Notification to the data subject may be delayed only where it would impede a criminal investigation into the compromise.

Where SA businesses actually get caught out

The gaps that show up most often aren’t exotic. They’re the same handful of misses, repeated across almost every business that hasn’t had a proper review:

  • No designated, contactable Information Officer.
  • A privacy policy that exists but isn’t linked from the site, or was written once and never updated.
  • Cookie banners that display but don’t actually block non-essential trackers before consent.
  • No real channel for a data subject to exercise their access or deletion rights.
  • Vendor and operator relationships (payroll, email, cloud storage) with no written agreement addressing security safeguards.
  • Personal information retained indefinitely with no policy governing how long it’s kept.

We’ve turned this into a working checklist you can run against your own website in Is your website POPIA-compliant? A practical checklist — it’s the fastest way to find out where you actually stand.

Building a POPIA compliance programme that holds up

A POPIA programme that survives contact with an audit, a bank’s due-diligence questionnaire, or a Regulator complaint has a handful of standing components, not a once-off event:

  1. Designate an Information Officer and register them with the Information Regulator.
  2. Document your processing — what personal information you hold, why, and on what lawful basis.
  3. Put written agreements in place with every operator that processes information on your behalf.
  4. Give data subjects a real channel to exercise their rights, and resource it.
  5. Monitor continuously, not annually. Most SA businesses treat POPIA as a once-a-year audit item. The gaps open the month after the audit and stay open for eleven months.
  6. Keep the evidence.If the Regulator or a customer ever asks what you did, “we believe we’re compliant” is a much worse answer than a dated record of what was checked and when.

That last point is the specific problem Komply is built to solve — continuous, monthly POPIA monitoring instead of an annual scramble — but the programme itself holds regardless of which tool (or no tool) you use to run it. If you’d rather have this built and maintained for you than run it in-house, Auto Alpha Advisory does the advisory and implementation work end to end.

POPIA is one of four regulatory regimes, not the only one

POPIA rarely operates in isolation for a South African business of any size. The same business is usually also carrying B-BBEE scorecard obligations for procurement access, SARS tax-compliance obligations across multiple tax types, and — if it operates in financial services — FSCA/FAIS conduct obligations. Each has its own regulator, its own deadlines, and its own penalty regime, and none of them talk to each other. We’ve mapped how the four fit together, what applies to whom, and where they intersect, in POPIA vs B-BBEE vs SARS vs FSCA: the South African compliance stack explained.

Frequently asked questions

Is POPIA the same as GDPR?

No, though they share a family resemblance. Both regulate personal information processing and give data subjects similar rights, but POPIA is South African law with its own definitions, its own regulator, and its own penalty structure — notably, no fixed 72-hour breach-notification clock. Compliance with one doesn’t automatically mean compliance with the other.

Does POPIA apply to small businesses?

Yes. There’s no turnover or headcount exemption. What counts as “appropriate and reasonable” security under section 19 will look different for a two-person business than for a large processor of sensitive data, but the obligation itself applies equally.

What’s the difference between a responsible party and an operator?

The responsible party decides why and how personal information is processed — that’s almost always your own business. An operator processes information on the responsible party’s behalf and under its instruction — your payroll provider, your email platform, your hosting company. Operators carry their own security duties under sections 20 and 21, but the responsible party remains accountable overall (Condition 1).

How often should POPIA compliance be reviewed?

Continuously, not annually. Findings change month to month — a new vendor, an expired policy, a misconfigured cookie banner — and an annual review only catches what’s wrong on the day it happens to look.