POPIA Compliance Checklist for South African Businesses in 2026
June 8, 2026 · 8 min read
The Protection of Personal Information Act (POPIA) has been fully in force since July 2021. The Information Regulator now actively investigates complaints, and fines can reach R10 million or 10 years imprisonment for serious violations. Yet many South African businesses — especially SMEs — are still not fully compliant.
This checklist covers every action a South African business needs to take. It's written in plain English, not legalese.
1. Appoint and register an Information Officer
Every organisation that processes personal information must appoint an Information Officer and register them with the Information Regulator. For most SMEs, this is the CEO or a senior manager. Registration is free and done through the Information Regulator's online portal at inforegulator.org.za.
Failure to register is one of the most common violations found in audits — and one of the easiest to fix.
2. Publish a POPIA-compliant Privacy Policy
Your Privacy Policy must explain: what personal information you collect, why you collect it (the lawful basis), how long you keep it, who you share it with, and how data subjects can exercise their rights (access, correction, deletion).
The policy must be accessible before any personal information is collected — typically linked in your website footer and in any email sign-up or contact form.
3. Create a Data Processing Register
Document every type of personal information your business processes. For each type, record: what data it is, why you collect it, where it's stored, who has access, and whether it's shared with third parties (including software vendors). This register is what the Information Regulator asks for first in an investigation.
4. Audit your software vendors
Any software that processes your customers' personal information is a "third-party operator" under POPIA. This includes your CRM (HubSpot, Salesforce), email marketing tool (Mailchimp, ActiveCampaign), payment processor (PayFast, Stripe), and cloud storage (Google Drive, Dropbox).
You must ensure each vendor has a Data Processing Agreement (DPA) in place. Most international vendors (HubSpot, Google, etc.) offer standard DPAs — you just need to sign them. Check your account settings or contact their support team.
5. Establish a data breach response procedure
Under POPIA, you must notify the Information Regulator and affected data subjects "as soon as reasonably possible" after discovering a data breach — the guideline is within 72 hours. You need a written procedure covering: who is responsible for detecting and reporting breaches, how affected individuals will be notified, and what steps will be taken to contain the breach.
6. Train your staff
Employees who handle personal information — customer service, sales, HR, finance — must understand their obligations under POPIA. This doesn't require a formal course. A one-hour workshop covering: what personal information is, why it must be protected, what to do if a breach occurs, and how to respond to data subject access requests.
7. Prepare for data subject requests
Any individual whose data you hold can request: a copy of their data, a correction of inaccurate data, or deletion of their data. You have 30 days to respond. Make sure you have a process — even just a dedicated email address — for handling these requests, and that someone is responsible for responding within the deadline.
The POPIA Compliance Starter Kit includes ready-to-use templates for every step above — Privacy Policy, Data Processing Register, Breach Response Procedure, and more. Designed specifically for South African businesses.
Free newsletter
Get new tool audits & buying guides in your inbox
No spam. One email per week with the best new comparisons and SA-relevant software updates.