POPIA Is Not Just a Legal Problem, It Is an IT Problem

You probably know POPIA exists. You might even know it stands for the Protection of Personal Information Act and that it applies to your business. But do you know what it actually requires from your IT setup?

Most small business owners think POPIA compliance is about privacy policies and consent forms. Those matter, but they are only part of the picture. The majority of POPIA’s eight conditions require technical measures to comply. You cannot meet POPIA requirements using only a document. You need your IT infrastructure to actually support what the law requires.

This is not legal advice. If you need guidance on POPIA’s legal requirements, consult a qualified attorney. What follows is the practical IT side – what POPIA means for how your email works, how your data is backed up, who can access what, and what happens when a device goes missing.

POPIA’s 8 conditions are mostly IT problems

POPIA has eight conditions for lawful processing of personal information. Personal information means anything that identifies a person or company – names, email addresses, phone numbers, financial records, employee details, client lists. If you run a business, you handle this kind of information every day.

Here is what POPIA requires, and where IT comes in:

Condition 1: Accountability – Someone in your organisation must be responsible for POPIA compliance. This is your Information Officer, and by default it is the owner or director. This is a governance issue, not an IT issue, but IT plays a role in demonstrating accountability.

Condition 2: Processing Limitation – Only collect what you need, and only with a lawful basis. This affects forms on your website and how you capture client information, but the enforcement happens at the IT level – what gets stored, where it gets stored, and how long it stays there.

Condition 3: Purpose Specification – Be clear about why you are collecting information. This is mostly a communication requirement (privacy policies, consent forms), but IT systems must be configured to support the stated purpose. If you said you would only use email addresses for quotes, your CRM cannot add them to a marketing list without explicit consent.

Condition 4: Further Processing Limitation – Do not use data for something incompatible with the original purpose. IT systems and access controls enforce this. The same CRM issue applies here.

Condition 5: Information Quality – Keep data accurate and up to date. This is both a business process and an IT issue. Your systems must allow corrections when a client says their details have changed.

Condition 6: Openness – Tell people what you collect and why. This is your privacy policy and consent mechanisms. IT supports this by making privacy information accessible and managing consent records.

Condition 7: Security Safeguards – Protect personal information against loss, damage, and unauthorised access. This is almost entirely an IT problem. Backup, access controls, email security, device encryption, breach detection – all IT.

Condition 8: Data Subject Participation – People have the right to access, correct, or delete their information. IT systems must make this possible. Can you find all records for a client who asks what you hold about them? Can you delete those records if they request it? If you cannot, your IT setup does not support POPIA compliance.

Of the eight conditions, six require IT measures to enforce. A privacy policy and consent forms are necessary, but they are not sufficient. Your actual IT infrastructure needs to work in a way that supports compliance.

How POPIA maps to your IT setup

Here is what POPIA’s requirements look like in practice, mapped to the IT infrastructure most Cape Town small businesses actually use.

Access controls (Condition 7 – Security Safeguards)

Who can access what in your business? Are permissions set properly on shared drives, email, and cloud storage? Does everyone have full access to everything, or is access limited to what each person needs for their job?

POPIA expects you to control who sees personal information. That means:

• Individual user accounts for every person (not one shared login)
• Permissions set on shared folders so not everyone sees payroll, HR files, or client records
• Multi-factor authentication so a stolen password is not enough to access your systems
• A process to remove access when someone leaves the business

If you are not sure who has access to what right now, that is a problem. If an ex-employee’s account is still active six months after they left, that is a POPIA risk.

Backup and recovery (Condition 7 – Security Safeguards)

POPIA requires you to protect personal information against loss or damage. If your server fails and you lose client records, that is not just a business problem – it is a compliance failure.

But here is the thing most businesses get wrong: syncing is not backup. If your files are synced to OneDrive or Dropbox, and someone deletes a file or it gets corrupted, that change syncs everywhere. The file is gone. Sync gives you access from multiple devices. Backup gives you recovery when something goes wrong.

Proper backup means:

• Automatic, scheduled backups of your business data
• Backups stored separately from your main systems (off-site or cloud)
• Regular testing to confirm backups actually work and can be restored
• Microsoft 365 backup (Microsoft does not back up your data for you – they keep it available while the service runs, but if something is deleted or corrupted, recovery options are limited)

If your answer to “where is your backup?” is “I think it is on that external drive somewhere”, your IT does not meet POPIA’s security safeguard requirement. See our Business Continuity solutions for how backup should work.

Email security (Condition 7 + breach prevention)

Email is the most common way data leaves a business, whether through a breach or an honest mistake. POPIA requires security safeguards, and email is one of the biggest vulnerabilities.

What email security means in practice:

• Spam and phishing filtering to stop malicious emails before they reach your inbox
• Email authentication (SPF, DKIM, DMARC) so nobody can send emails pretending to be your business
• Multi-factor authentication on email accounts
• Monitoring for compromised accounts (if someone gets into your email, they can access everything connected to it)

We manage email authentication through BEACON, our DMARC monitoring platform. DMARC is not just about stopping spoofed emails – it is about preventing the kind of email-based attacks that lead to data breaches. And under POPIA Section 22, if personal information is compromised in a breach, you must notify the Information Regulator and affected individuals. Prevention is far better than notification. Our Security solutions cover email protection in detail.

Device management (Condition 7 – Security Safeguards)

Laptops and phones contain business data. Client emails, financial records, company documents – all sitting on devices that move between the office, home, coffee shops, and cars. What happens when a device is lost or stolen? What happens when an employee leaves with a company laptop?

POPIA requires appropriate security measures. For devices, that means:

• Encryption so data on a lost or stolen device cannot be read
• Remote wipe capability if a device goes missing
• Managed antivirus and endpoint protection, not just the free version someone downloaded
• A process to wipe and reset devices when staff leave

If your staff use their own devices for work (BYOD), this gets more complicated. You need a way to separate business data from personal data and remove the business data when someone leaves – without wiping their personal photos and messages. Mobile device management (MDM) handles this, but most small businesses have not set it up.

Data retention (Condition 4 – Retention Limitation)

POPIA says you cannot keep personal information longer than necessary for the purpose you collected it. How long is “necessary” depends on the type of data and your legal obligations (tax records must be kept for five years, for example). But POPIA requires you to have a policy and follow it.

Ask yourself:

• Does your email archive keep everything forever?
• Do old client files sit on your server indefinitely, even for clients you have not worked with in years?
• When someone unsubscribes from your mailing list, are their details actually deleted, or just marked as unsubscribed?
• Do you have a documented retention schedule that says what you keep and for how long?

Most businesses have never thought about this. They keep everything because storage is cheap and deleting feels risky. But under POPIA, indefinite retention is non-compliant. Your IT setup needs to support a retention policy – archiving, automated deletion, and the ability to purge records when the retention period expires.

The breach notification you hope you never need

If personal data is compromised – through a hack, a lost laptop, an email account takeover, or an employee mistake – POPIA Section 22 requires you to notify the Information Regulator and affected individuals. But you can only do that if you know a breach happened and can assess its scope.

Your IT setup determines whether you can detect a breach:

• Do you have monitoring in place to spot unusual account activity?
• Can you tell which files were accessed by a compromised account?
• Do you have logs to show what happened and when?
• Can you determine which personal information was exposed?

Most small businesses have no idea a breach has occurred until a client calls to say they got a suspicious email from the company, or they see a bank transaction they did not authorise. By that point, the damage is done.

Breach response is part of POPIA compliance. That means having the IT infrastructure to detect breaches when they happen, contain them before they spread, and assess the impact. For the full picture on what a data breach response looks like, see our article on data breach response planning.

A quick POPIA IT checklist

Here are ten things you can check right now to see if your IT setup supports POPIA compliance. Answer honestly.

1. Is multi-factor authentication (MFA) enabled on all email accounts? If someone gets your password, MFA is the safety net that stops them getting in.

1. Is your data backed up off-site, and have you tested a restore in the last six months? Sync is not backup. Can you actually recover your data if something goes wrong?

1. Are access permissions set properly on shared drives and cloud storage? Does everyone have access to everything, or is access limited by role?

1. Are ex-employee accounts disabled? If someone left three months ago, can they still log in?

1. Is email authentication configured? SPF, DKIM, and DMARC stop your domain being used to send fake emails.

1. Are laptops and devices encrypted? If a device is stolen, is the data on it protected?

1. Do you have a documented data retention policy? Do you know what you keep, for how long, and when it gets deleted?

1. Is there an appointed Information Officer, and are their details available? POPIA requires this. By default, it is the business owner or director.

1. Do you have a breach response plan? If something goes wrong, do you know what to do, who to notify, and how to contain it?

1. Are your devices running managed, monitored antivirus? Not the free version nobody checks – managed protection that someone is actually watching.

If you answered “no” or “not sure” to more than two of these, your IT has gaps that could affect your POPIA compliance. Our POPIA compliance page covers the full picture of what compliance looks like, not just the IT side.

What this means for your IT provider

If you have an IT provider managing your systems, they are a POPIA “operator” – a third party processing data on your behalf. That creates obligations on both sides.

You need to know:

• Do they have appropriate security measures in place to protect your data?
• Are they backing up your data properly, or are they relying on sync?
• Can they help you respond to a breach if one occurs?
• Do they monitor your systems for security threats?
• Do you have a written agreement that covers data protection responsibilities?

POPIA Section 20-21 requires written agreements between responsible parties (you) and operators (your IT provider). Most businesses do not have this. If you are choosing an IT provider, or reviewing the one you have, their approach to data protection should be part of the decision. For more on what to look for, see our article on choosing the right IT support provider.

Some IT providers treat POPIA as a compliance checklist to sell you extra services. Others see it as what they should already be doing – proper security, proper backup, proper access controls. The difference matters.

If you are looking at what managed IT support includes, data protection should not be an optional add-on. It is a baseline requirement for any business handling personal information in South Africa. And under POPIA, that is every business.

Not sure if your IT meets POPIA requirements?

Most businesses think they are fine until they actually check what POPIA requires. A quick review of your IT setup shows where the gaps are – access controls, backup, email security, device management, retention policies.

Talk to us about your IT setup

Or get in touch directly:

Call: 087 820 5005

WhatsApp: 081 526 1626

For a broader overview of POPIA compliance beyond just the IT infrastructure side, see our POPIA compliance guide for small businesses.

Already managing your own IT? Make sure your email domain is protected. Check your email authentication with BEACON – from R150 per month.

Related reading

• What does POPIA mean for your small business?
• Cloud sync is not backup: what small businesses get wrong
• Data breach response: what to do in the first 72 hours
• Multi-factor authentication: what it is and how to set it up