POPIA Compliance Audit Checklist
A structured 7-day DIY POPIA self-audit. Designed for SA businesses up to ~50 employees who want a clear-eyed view of their POPIA exposure before engaging external counsel.
Written by
Martin Kotze
Attorney, Conveyancer & Notary Public
The POPIA Compliance Audit Checklist walks an SA business through a structured 7-day self-audit across the seven key compliance domains: data mapping, Information Officer registration, section 18 privacy-notice content, section 21 operator agreements, section 19 security measures, section 72 cross-border transfers, and section 22 incident-response readiness. At the end of the 7 days you have a documented compliance baseline and a prioritised remediation list. Suitable for SA businesses up to ~50 employees as a baseline assessment; larger or regulated businesses should engage external counsel for a formal POPIA gap analysis.
Email me the checklist
Enter your email and we’ll send the PDF straight to your inbox. Link valid for 7 days.
The 7-day plan
Data mapping — identify what personal information you process, where, why
Information Officer registration check with the Information Regulator
Privacy notice review — does it satisfy section 18 disclosure requirements?
Operator agreements audit — section 21 written contracts with all processors?
Security measures review — section 19 technical and organisational measures
Cross-border transfer assessment — section 72 lawful basis documented?
Incident response plan dry-run — can you notify the Regulator in 72 hours?
Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.
This guide is general information, not legal advice for your specific matter.