What does POPIA mean for your small business?

You have probably heard of POPIA. You might know it stands for the Protection of Personal Information Act. You might even know it has been in effect since July 2021. But if you are like most small business owners, you are not entirely sure what it actually requires you to do.

This is a plain-language guide. No legal jargon, no scare tactics. Just what POPIA means for a business your size and what steps to take.

Does POPIA apply to your business?

Almost certainly, yes.

POPIA applies to every person and organisation in South Africa that processes personal information. “Personal information” is broad: names, email addresses, phone numbers, ID numbers, financial details, employment records, even IP addresses.

If your business has clients, staff, or suppliers, you have personal information. If you send invoices with someone’s name on them, that is personal information. If you keep a spreadsheet of client contact details, that is personal information. If your email inbox contains messages from real people, those messages contain personal information.

The question is not whether POPIA applies to you. It is whether you are handling personal information in a way that meets the requirements.

What POPIA actually requires

POPIA has eight conditions for lawful processing. In plain language:

1. Accountability. Someone in your business must be responsible for POPIA compliance. This person is called the Information Officer. For businesses with fewer than 250 employees, this defaults to the business owner unless you appoint someone else.

2. Processing limitation. Only collect personal information you actually need. If you ask for a client’s ID number but never use it, you should not be collecting it.

3. Purpose specification. Tell people why you are collecting their information and only use it for that purpose. If someone gives you their email for a quote, do not add them to your marketing newsletter without asking.

4. Further processing limitation. If you want to use information for something new (a purpose you did not originally state), you need a good reason or the person’s consent.

5. Information quality. Keep personal information accurate and up to date. If a client tells you their phone number changed, update your records.

6. Openness. Be transparent about what data you hold and how you use it. This is where your privacy policy comes in.

7. Security safeguards. Protect personal information with “appropriate, reasonable technical and organisational measures.” This is where IT directly connects to POPIA. More on this below.

8. Data subject participation. People have the right to ask what information you hold about them, to correct it, and in some cases to have it deleted.

Condition 7: where IT meets POPIA

For a small business, Condition 7 is the one that ties most directly to your IT setup. The law requires you to protect personal information from loss, damage, and unauthorised access.

In practical terms, that means:

Access controls. Not everyone in your business should have access to everything. A receptionist does not need access to financial records. An intern does not need admin access to your accounting system. Your IT setup should enforce this.

Email security. Email is where most data breaches start. Phishing attacks, compromised accounts, and spoofed emails can all expose personal information. Email authentication (SPF, DKIM, DMARC) prevents your domain from being used in fraud. See our BEACON platform for email authentication monitoring.

Backup. POPIA does not specifically mention backup, but if personal information is lost because you had no backup, you have failed to implement reasonable security measures. A client’s records should not disappear because a hard drive failed.

Device security. Laptops and phones that access personal information should have passwords, encryption, and ideally managed endpoint protection. A stolen laptop with no encryption is a data breach.

Encryption. Where practical, personal information should be encrypted in transit (HTTPS, TLS for email) and at rest (device encryption, encrypted backups).

For a detailed look at how each POPIA condition maps to your IT infrastructure, see our article on POPIA as an IT problem.

What happens if you do not comply

POPIA is enforced by the Information Regulator. The consequences of non-compliance include:

• Fines of up to R10 million. This is the maximum. The actual fine depends on the severity of the breach and whether you can demonstrate that you took reasonable steps to comply.
• Criminal prosecution. For serious offences (like knowingly processing data without consent), individuals can face up to 10 years in prison. This is aimed at deliberate, egregious violations, not administrative oversights.
• Civil claims. If someone suffers damage because you mishandled their personal information, they can sue for compensation.
• Enforcement notices. The Information Regulator can order you to stop processing data or to change how you process it. For a business that relies on client data, this can be as damaging as a fine.

The point is not to frighten you. The Information Regulator has said they are focused on education and building compliance culture, not on punishing small businesses. But the legal framework exists, and the enforcement capacity is growing. The time to sort out your compliance is now, not after an incident.

Five steps to start with

If you have done nothing about POPIA yet, these five steps will get you moving:

1. Know what personal data you hold. Make a list: client databases, employee records, email, financial records, website forms. You cannot protect what you do not know you have.

1. Publish a privacy policy. Your website should have a privacy policy that explains what information you collect, why, and how you protect it. This addresses the Openness condition. It does not need to be complicated.

1. Review your consent. Are people opting in to your marketing emails? Do your website forms explain what you do with the data? Is consent explicit, not pre-ticked?

1. Secure your IT. This is Condition 7. Passwords, access controls, backup, email security, device encryption. If your IT support is managing this for you, you are probably in better shape than you think. If nobody is managing it, start with the basics: strong passwords, MFA on email, and a working backup.

1. Appoint an Information Officer. Register with the Information Regulator at inforegulator.org.za. This is a legal requirement, and many businesses have not done it.

Not sure where your business stands?

We can check your IT setup against POPIA’s Condition 7 requirements and tell you where the gaps are. This is what we do for our managed clients as part of their ongoing service.

Get an IT Health Check

Or read our detailed guide: POPIA compliance for your business

Call: 087 820 5005

WhatsApp: 081 526 1626

—

Related reading

• POPIA is not just legal, it is an IT problem
• Data breach response: what to do in the first 72 hours
• What happens to your data when an employee leaves?
• Multi-factor authentication: what it is and how to set it up