POPIA Compliance · South Africa

POPIA compliance, without the confusion.

POPIA applies to every SA business holding client or employee data. Fines hit R10 million. We make it straightforward: plain language, practical steps, no legal jargon.

Get POPIA help Chat on WhatsApp
Compliant in 4 to 8 weeks Nationwide Plain language

Why this matters

"We are too small for POPIA" is not a defence

POPIA has no size threshold. The Regulator does not care about turnover. If you hold a name and an email, the Act applies.

POPIA applies to every business

A name, an email, a phone number, an ID. If you hold any of it, the Act applies. There is no SME exemption. Smaller means simpler compliance, not no compliance.

Information Regulator, South Africa

Fines hit R10 million

Fines up to R10 million for serious violations. Owners and Information Officers can face up to 10 years in prison for specific offences. Enforcement is climbing year on year.

POPIA, Sections 100 to 109

Trust is a competitive advantage

Visible compliance shows clients their data is in safe hands. It also stops a breach from turning into a public-relations disaster.

Industry buyer surveys

Our process

Gap to compliant, in 4 to 8 weeks

Linear path, no surprises. You stay focused on the business, we do the heavy lifting.

01

POPIA gap assessment (week 1)

We audit your data handling against POPIA's 8 conditions. You get a ranked list of what is missing, what is sloppy, and what is fine.

02

Implement and document (weeks 2 to 6)

Information Officer registered. Privacy policy and consent forms drafted for your operation. Breach procedure in place. Staff briefed. PAIA manual built.

03

Maintain compliance (ongoing)

POPIA is not a once-off tick-box. Annual review keeps you in step with business growth and enforcement changes. We are on call between reviews.

What you get

Practical compliance, not a 90-page binder

Real documents that match how your business operates, plus the human to explain them.

Gap assessment report

Your current state mapped against each of POPIA's 8 conditions, with risk ratings and a priority list.

Compliance documentation

Privacy policy, data processing records, consent forms, PAIA manual, breach notification templates. All drafted for your context.

Staff POPIA training

A focused session for your team. What personal information is, how to handle it, what to do if something goes wrong. Plain language.

Information Officer support

Registration with the Information Regulator, plus ongoing support for the IO's responsibilities through the year.

The stakes

Enforcement is real, and increasing

POPIA stopped being a "we will get around to it" item in 2021. The Regulator is now actively investigating, fining, and naming.

Legal risk
R10M

Maximum POPIA fine

The Regulator can impose fines up to R10 million for serious POPIA violations. Enforcement actions are climbing year on year.

POPIA, Section 107
10 years

Possible jail time for responsible individuals

Owners and Information Officers can face criminal liability for certain POPIA offences, including obstructing the Regulator.

POPIA, Sections 100 to 109
100%

Of SA businesses must comply

No size threshold. Sole traders, retailers, medical practices, attorneys, accountants. POPIA applies to all of them.

Information Regulator, South Africa

Common questions

POPIA compliance FAQ for SA SMEs

01 Does POPIA apply to small businesses?

Yes. POPIA applies to any organisation processing personal information of South African residents, regardless of size. If you collect names, emails, or phone numbers, POPIA applies to you.

02 What does POPIA actually require?

Appoint and register an Information Officer. Maintain a PAIA manual. Collect only necessary personal information. Get consent where it applies. Implement reasonable security measures. Have a breach notification procedure ready.

03 What is the penalty for non-compliance?

Fines up to R10 million. Up to 10 years in prison for certain offences. Civil claims from affected people are also possible, plus reputational damage from a publicised breach.

04 How long does compliance take?

For a typical SME, 4 to 8 weeks from start to compliant. That covers data discovery, security measures, policy work, staff training, and IO registration. Highest-risk gaps get closed first.

Get started

Get POPIA compliance help

Tell us about your business. We reply inside one business day to discuss your POPIA position and the next moves.

Address

21 Lighthouse Road, uMhlanga, KZN

Enquire about POPIA compliance

Compliance is more than paperwork

POPIA needs the rest of the stack too

"Reasonable security measures" means actually having them. Pair compliance with an assessment, training, and a tested incident response plan.

Cybersecurity Assessment Awareness Training Incident Response