POPI Act compliance checklist for SA small businesses

<h2>What is POPIA and Why Does it Matter?</h2><p>The Protection of Personal Information Act (POPIA) came fully into effect on 1 July 2021. It regulates how South African businesses collect, store, use, and share personal information. Non-compliance can result in fines of up to R10 million or imprisonment.</p><p>Importantly, POPIA applies to virtually every business — even if you just store client email addresses in a spreadsheet.</p><h2>POPIA Compliance Checklist</h2><h3>1. Appoint an Information Officer</h3><p>Every business must designate an Information Officer (IO) responsible for POPIA compliance. For small businesses, this is usually the owner. Register your IO with the Information Regulator at www.justice.gov.za/inforeg/.</p><h3>2. Know What Data You Hold</h3><p>Conduct a data mapping exercise:<ul><li>What personal information do you collect? (names, emails, phone numbers, ID numbers, financial info)</li><li>Where is it stored? (spreadsheets, CRM, email, paper files)</li><li>Who has access to it?</li><li>How long do you keep it?</li></ul></p><h3>3. Get Proper Consent</h3><p>You must have a lawful reason for processing personal information. The most common basis is consent. Ensure:<ul><li>Consent is freely given, specific, and informed</li><li>You can prove consent was obtained</li><li>Subscribers can easily withdraw consent</li></ul></p><h3>4. Update Your Privacy Policy</h3><p>Your website must have a POPIA-compliant Privacy Policy that explains:<ul><li>What data you collect and why</li><li>How long you keep it</li><li>Whether you share it with third parties</li><li>How users can access, correct, or delete their data</li><li>Your Information Officers contact details</li></ul></p><h3>5. Secure Your Data</h3><p>Take reasonable steps to prevent unauthorised access:<ul><li>Use strong, unique passwords and a password manager</li><li>Enable two-factor authentication on email and key systems</li><li>Encrypt sensitive data where possible</li><li>Limit staff access to only data they need</li></ul></p><h3>6. Manage Third-Party Processors</h3><p>If you share personal data with third parties (e.g., email marketing providers, accountants, cloud storage), ensure they are also POPIA-compliant. Update contracts to include POPIA data processing clauses.</p><h3>7. Have a Data Breach Response Plan</h3><p>If a breach occurs, you must notify the Information Regulator and affected individuals as soon as reasonably possible. Document the breach and your response.</p><h3>8. Handle Marketing Lists Correctly</h3><p>Under POPIA, you may only send marketing emails to existing customers or people who have given explicit consent. Always include an unsubscribe option.</p><h2>Free Resources</h2><ul><li>Information Regulator: www.justice.gov.za/inforeg/</li><li>POPIA guidance notes are available free on the IR website</li><li>Many SA law firms offer free POPIA template policies</li></ul><h2>Bottom Line</h2><p>POPIA compliance is not optional, but its also not as complex as it sounds for small businesses. Start with the basics: know your data, get proper consent, secure it well, and have a Privacy Policy.</p>