The practical guide to POPIA compliance for South African SMEs

You have heard the term POPIA in meetings, read a few scary headlines about fines, and now you are wondering whether your business is at risk. We have had this exact conversation with plenty of South African owners over the past few years.

The good news: POPIA compliance is not as terrifying as it sounds. The bad news: you cannot afford to ignore it any longer.

What POPIA is, and why it matters

POPIA, the Protection of Personal Information Act, is South Africa’s answer to Europe’s GDPR. It governs how businesses collect, store and use personal information, and it applies whether you run a spaza shop in Soweto or a tech startup in Rosebank.

It has been fully enforceable since July 2021, so the grace period is long gone. The Information Regulator is investigating complaints, and businesses are being fined.

The five core requirements

Skipping the legal jargon, here is the practical version.

Only collect what you need. You can only collect information relevant to your business purpose. If you sell shoes, you do not need a customer’s medical history.
Get proper consent. No pre-ticked boxes or buried clauses. When someone gives you their email, they need to know exactly what you will do with it. Buying something once is not consent to be marketed to forever.
Keep data secure. The spreadsheet of customer details on a desktop is a violation waiting to happen. You need encrypted storage, access controls and proper backups.
Let people access their information. If a customer asks what data you hold, you must provide it within a reasonable time. If they ask you to delete it, you generally must, with some exceptions.
Do not keep data forever. Delete personal information once you no longer need it. There is no reason to hold records from fifteen years ago.

The real cost of getting it wrong

Administrative fines: up to R 10 million.
Criminal penalties: up to 10 years imprisonment for serious offences.
Civil claims: affected people can sue for damages.

Honestly though, the fines are not even the worst part. The reputational damage is. News of a data breach spreads fast, and once customers stop trusting how you handle their information, they are gone.

A practical seven-step roadmap

Appoint an Information Officer. This is legally required. For most SMEs it is the owner or a senior manager. Register them with the Information Regulator.
Map your data. Work out what personal information you collect, where it lives, who can access it and how long you keep it.
Update your privacy policy. Make it clear and accessible, and actually explain what you do with customer data.
Review your consent mechanisms. Check every form and signup. Consent should be explicit and recorded.
Implement security measures. At minimum: passwords, encrypted storage, access controls and regular backups.
Train your team. Everyone who handles customer data needs to understand their responsibilities. Yes, including the intern.
Plan for incidents. Know what you will do if something goes wrong. POPIA requires you to notify the Information Regulator and affected people as soon as reasonably possible after a breach.

Where most SMEs go wrong

Assuming it does not apply to them. If you collect any personal information, names, emails, phone numbers, it applies.
Buying a template privacy policy online. These are often generic or written for other countries. You need one tailored to your business and South African law.
Focusing only on digital data. POPIA covers paper records too, including that filing cabinet of customer forms.
Treating it as a once-off. Compliance needs ongoing monitoring and updates.

Ready to get compliant?

This feels like a lot, and running a business here is hard enough already. Our honest advice is not to do it alone. At Randcore we have a POPIA package built for South African SMEs: we assess where you are, find the gaps, and help you put practical measures in place that do not need a law degree to understand.

The best time to get compliant was 2021. The second best time is now.