Enforcement & reference

A practical POPIA compliance shortlist

Ten pieces of the right work — mapping, grounds, notices, operator contracts, security, breach plan, IO registration and more.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA compliance is ten pieces of structural work: map your processing, assign a lawful ground to each purpose, publish a privacy notice, contract your operators, run the security basics, prepare a breach plan, register your information officer, sort marketing into customers and prospects, set retention rules, and check the narrow special cases. None of it requires asking every data subject for permission to run your business.

The ten steps

  1. 01Map your processing

    The eight conditions

    What personal information, from whom, for what purpose, shared with whom, stored where, kept how long.

  2. 02Assign a section 11 ground to each purpose

    The six lawful grounds

    Use contract, legal obligation and legitimate interest where they genuinely apply; reserve consent for what is truly optional (and record it properly).

  3. 03Publish a proper privacy notice

    Privacy notices

    Covering the section 18(1) items, including categories of recipients and any cross-border transfers.

  4. 04Put written contracts in place with every operator

    Operators

    Section 21 contracts covering security and immediate breach reporting — payroll, IT, cloud, marketing platforms, collections.

  5. 05Do the security basics and keep doing them

    Security safeguards

    Patch, license, monitor, restrict access, verify regularly (s 19). Run a personal information impact assessment (reg 4).

  6. 06Prepare a breach plan

    Data breaches

    Who decides, who notifies, eServices portal credentials ready, draft data-subject notice on file. Notify as soon as reasonably possible — don’t wait for the forensic report.

  7. 07Register your information officer

    Information officers

    Before they take up duties (s 55(2)) — and every group subsidiary registers its own. Appoint deputies in writing where needed.

  8. 08Sort your marketing

    Direct marketing

    Segment customers (s 69(3)) from prospects (s 69(2)); honour every opt-out; keep the objection and withheld-consent registers; record telephonic consents.

  9. 09Set retention rules

    Purpose & retention

    Per record type, with the section 14(1) exceptions in mind — and actually delete or de-identify when they expire.

  10. 10Check the narrow special cases

    Special personal information

    Special personal information (ss 26–33), children (ss 34–35), prior-authorisation triggers (s 57), and special/children’s data going to non-adequate countries (s 57(1)(d)).

If the myths had you doing the wrong work

Notice what the list does not contain: re-consenting your customer base, refusing references, banning CCTV, repatriating your cloud, or buying a “POPIA certificate”. The myths generate busy-work; the Act asks for structure. It requires knowing why you process what you process, being able to say so, and keeping it safe. For a self-assessment against these steps, the firm’s free POPIA compliance audit checklist walks each item with yes/no questions — and where the answers raise harder questions, that is what we do.

Frequently asked questions

Where should a small business start with POPIA?

Steps 1 and 2: map what you process and why, and assign each purpose its lawful ground. Everything else — the notice, the contracts, retention — falls out of that map.

How much does POPIA compliance cost?

For most SMEs the work is organisational, not capital: a processing map, a privacy notice, operator clauses, security hygiene, registrations. The expensive version is usually fear-driven over-engineering — consent systems for processing that never needed consent.

Is there an official POPIA certification we should buy?

No official certification exists. The Regulator issues none, and no vendor’s certificate changes your statutory position. Spend the budget on the ten steps instead.

How often should the compliance work be revisited?

Annually as a baseline, plus on trigger events: new processing purposes, new providers, structural changes, and regulatory developments — like the April 2025 Regulations amendments.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Enforcement & reference

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub