The Protection of Personal Information Act — POPIA — came into full effect on 1 July 2021. It applies to every business in South Africa that processes personal information, regardless of size. There are no small-business exemptions.
If you collect a customer's name and email address, store employee records on a spreadsheet, keep supplier contacts in your phone, or operate a website with analytics — you are processing personal information under POPIA. The Act does not distinguish between a listed company and a sole proprietor. The obligations are the same.
This guide explains what POPIA requires of small businesses in plain language — the eight conditions for lawful processing, the Information Officer requirement, and the practical steps you can take to comply without spending a fortune on consultants.
What POPIA covers
POPIA protects personal information — any information relating to an identifiable, living natural person or an existing juristic person. This is broader than most small-business owners realise.
It includes customer data such as names, phone numbers, email addresses, and physical addresses. It includes employee records — identity numbers, salary details, performance reviews, and disciplinary records. It covers supplier and contractor contact details. It extends to website analytics that can identify visitors, IP addresses, and cookies. It even covers CCTV footage if individuals can be identified from the recordings.
The only exemption relevant to individuals is processing for purely personal or household activities. The moment you process information in the course of business, POPIA applies.
The eight conditions for lawful processing
POPIA sets out eight conditions that every business must satisfy when processing personal information. These are not optional guidelines — they are legal requirements.
1. Accountability
Your business is responsible for ensuring that all eight conditions are met. You cannot outsource this responsibility. Even if a third party processes data on your behalf, you remain the Responsible Party and must ensure compliance throughout the processing chain.
2. Processing limitation
Personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject. You must have a lawful basis for processing — consent, contractual necessity, legal obligation, or legitimate interest. You may not collect more information than is necessary for the stated purpose.
3. Purpose specification
You must collect personal information for a specific, explicitly defined, and lawful purpose. You must inform the data subject of that purpose at or before the time of collection. You cannot retain information for longer than is necessary to achieve the purpose for which it was collected, unless retention is required by law.
4. Further processing limitation
You cannot repurpose data without the data subject's consent or another lawful basis. If you collected a customer's email address for invoicing, you cannot add them to a marketing mailing list without their separate consent. The further processing must be compatible with the original purpose.
5. Information quality
You must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading, and updated where necessary. If a customer notifies you that their contact details have changed, you must update your records.
6. Openness
You must maintain a publicly accessible privacy policy that explains what personal information you collect, why you collect it, how you use it, and who you share it with. Section 18 of POPIA prescribes the minimum content of the notification you must provide to data subjects at the time of collection.
7. Security safeguards
You must implement appropriate and reasonable technical and organisational measures to protect personal information against loss, damage, unauthorised access, or unlawful processing. What counts as “appropriate” depends on the nature and sensitivity of the data and the size of your business — but doing nothing is never acceptable.
8. Data subject participation
Data subjects have the right to access their personal information, requestcorrection of inaccurate data, and request deletion of data that is no longer necessary for the purpose for which it was collected. You must have a process in place to handle these requests.
The Information Officer
Every business must appoint an Information Officer. This is not optional. The Information Officer is the person responsible for encouraging compliance with POPIA within your organisation and for dealing with requests from data subjects and the Information Regulator.
For companies and close corporations, the CEO or managing member is automatically the Information Officer by default unless someone else is formally designated. For sole proprietors, you are your own Information Officer.
You must register your Information Officer with the Information Regulator at inforegulator.org.za. Registration is free. The process is straightforward — you complete an online form with your business details and the Information Officer's contact information. There is no cost and no reason to delay.
Seven practical steps to POPIA compliance
Step 1: Map your data
Before you can protect personal information, you need to know where it lives. Create a simple data inventory — a spreadsheet listing every system, application, filing cabinet, and device that stores personal information. For each entry, note what type of data it holds, whose data it is (customers, employees, suppliers), and who has access to it. This exercise alone will reveal gaps you did not know existed.
Step 2: Get your legal basis right
For each type of processing identified in your data map, determine your lawful basis. POPIA recognises several grounds: consent (the data subject agreed), contractual necessity (you need the data to fulfil a contract), legal obligation (the law requires you to process it), and legitimate interest (you have a justifiable business reason that does not override the data subject's rights). Document your legal basis for each processing activity.
Step 3: Write and publish your privacy policy
Section 18 of POPIA requires you to notify data subjects of specific information at or before the time you collect their personal information. At minimum, your privacy policy must state the name and contact details of the Responsible Party, the purpose of collection, whether the supply of information is voluntary or mandatory, the consequences of failure to provide the information, and the data subject's right to access and correct their data. Publish this policy on your website and make it available in your physical premises.
Step 4: Secure your data
Security does not require enterprise-grade software. Start with the basics: use strong, unique passwords for every system that stores personal information. Enable two-factor authentication (2FA) wherever it is available. Restrict access so that only staff who need specific data for their job can access it. Encrypt laptops and mobile devices. Back up data regularly. These measures cost little or nothing and address the majority of risks.
Step 5: Create a data breach response plan
Under Section 22 of POPIA, if you have reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, you must notify the Information Regulator and the affected data subjects as soon as reasonably possible. The widely referenced benchmark is 72 hours. Your plan should specify who is responsible for assessing a breach, who makes the notification decision, and how affected individuals will be contacted.
Step 6: Train your staff
Most data breaches result from human error, not sophisticated cyberattacks. A single one-hour training session covering the basics of POPIA, your privacy policy, and your data handling procedures can dramatically reduce your risk. Document the training— record who attended, what was covered, and when it took place. This documentation demonstrates to the Information Regulator that you took reasonable steps to ensure compliance.
Step 7: Review and update regularly
POPIA compliance is not a once-off project. Review your data inventory, privacy policy, and security measures at least annually. Update them when your business changes — new systems, new staff, new services, or new types of personal information being collected. Set a calendar reminder and treat it as a routine business obligation.
POPIA and PAIA: the connection
The Promotion of Access to Information Act (PAIA) requires every private body to compile a PAIA manual describing how it processes information and how members of the public can request access to records. Your PAIA manual must cross-reference your POPIA privacy policy, and your privacy policy should reference your PAIA manual.
Many small businesses overlook the PAIA requirement entirely. If you have not yet compiled your PAIA manual, read our PAIA annual report guide for a practical walkthrough. The two obligations are closely linked and should be addressed together.
Penalties for non-compliance
The Information Regulator has the power to impose significant penalties for POPIA non-compliance. The Act provides for administrative fines of up to R10 million. Individuals who obstruct the Information Regulator or fail to comply with an enforcement notice face imprisonment of up to 10 years. Breach of confidentiality by anyone who processes personal information carries a penalty of up to 12 months' imprisonment.
These are not theoretical risks. The Information Regulator has been intensifying enforcement since 2023, issuing enforcement notices and conducting investigations across multiple sectors. Small businesses are not immune — the Regulator has publicly stated that compliance is expected of all responsible parties, regardless of size.
Frequently asked questions
Does POPIA apply if I only have a few customers?
Yes. POPIA does not set a minimum threshold based on the number of data subjects you process. Whether you have five customers or five thousand, if you process personal information in the course of business, POPIA applies to you. The only exemption is for purely personal or household activities.
Do I need to pay for POPIA compliance?
The basic requirements of POPIA compliance can be met at no cost. Registering your Information Officer with the Information Regulator is free. Writing and publishing a privacy policy costs nothing if you do it yourself. The main investment is your time — understanding the requirements, mapping your data, and putting the right processes in place.
A customer asks to see their data. What do I do?
Under Section 23 of POPIA, a data subject has the right to request confirmation of whether you hold their personal information and to request a copy of it. You must respond within a reasonable time, provide the information in a reasonable format, and correct any inaccuracies if requested. You may charge a reasonable fee to cover the cost of providing the information, but you cannot refuse the request without lawful grounds.
Do I need a separate privacy policy for employees and customers?
Not necessarily. A single privacy policy can cover both employees and customers, provided it clearly addresses both contexts. The key is that each category of data subject must be able to understand what personal information you collect about them, why you collect it, how you use it, and what their rights are. Many small businesses use one comprehensive policy with separate sections for customers, employees, and suppliers.
What is the difference between a Responsible Party and an Operator?
The Responsible Party is the person or organisation that determines the purpose and means of processing personal information — in most cases, this is your business. The Operator is a third party that processes personal information on your behalf — for example, your payroll provider, cloud software vendor, or marketing platform. POPIA requires a written agreement between the Responsible Party and any Operator, specifying the conditions under which the Operator may process personal information.