POPIA in plain language

No. Consent is one of six alternative lawful grounds in section 11(1) — processing is equally lawful if it is necessary for a contract, required by law, protects the data subject's interests, performs a public duty, or pursues a legitimate interest. The Act creates no hierarchy and expresses no preference for consent. See the six lawful grounds.

Yes. There is no small-business exemption, no turnover threshold and no industry carve-out — a one-person consultancy and a listed bank are equally bound. The State is bound too: the largest fines so far have been imposed on government departments.

Yes — section 72 allows cross-border transfers through any one of five gateways, including a binding agreement with the foreign recipient. There is no data-localisation rule. Using Microsoft 365, Google Workspace or AWS is typically covered by the provider's data-processing agreement.

Enforcement is a ladder, not a trapdoor: complaint → enforcement notice → fine only if you ignore it. Administrative fines are capped at R10 million; actual fines to date range from R100 000 to R5 million — and every one followed non-compliance with an enforcement notice.

Yes. Unlike the GDPR, POPIA protects identifiable, existing juristic persons: companies, close corporations and trusts are data subjects, and their information is personal information.

Map your processing, assign a section 11 ground to each purpose, publish a proper privacy notice, contract your operators, do the security basics, prepare a breach plan, and register your information officer. The practical compliance shortlist walks through all ten steps.