7 Common POPIA Compliance Mistakes South African Businesses Make
Many South African businesses believe they are POPIA-compliant when they are not. Here are the seven most common mistakes we find in practice — and how to fix each one.
POPIA compliance is not binary. Most South African businesses sit somewhere on a spectrum between complete non-compliance and full compliance — often believing they are further along than they actually are.
Based on our assessments of SMEs and mid-market organisations across South Africa, these are the seven mistakes we encounter most often. Each one creates real legal exposure. Each one is also fixable.
Mistake 1: Treating "We Have a Privacy Policy" as Compliance
Publishing a privacy policy on your website is one of POPIA's openness requirements. It is not compliance. It is one item in a checklist of several dozen.
Many organisations — often prompted by a website redesign or a client request — copy a privacy policy template from the internet, publish it, and consider the matter resolved. The policy may be generic, inaccurate about how the organisation actually processes data, and entirely disconnected from any internal procedures.
A privacy policy that does not reflect your actual data processing activities creates its own risk: if you are ever investigated, a policy that misrepresents your practices is worse than no policy at all.
The fix: Your privacy policy should be written based on a data inventory — a documented record of what personal information you actually collect, from whom, for what purpose, and how long you retain it. The policy should reflect reality, not aspiration.
Mistake 2: Not Registering the Information Officer
POPIA requires every responsible party to appoint and register an Information Officer with the Information Regulator. By default, the head of the organisation — CEO, MD, Managing Partner — is the Information Officer until a formal delegation is registered.
Most South African businesses have not done this. Either they are unaware of the requirement, or they assume an internal appointment letter is sufficient. It is not. The Regulator must be notified, and the registration must be completed through the Regulator's online portal.
The consequences of not registering are significant: the head of the organisation carries personal liability for all POPIA compliance failures, often without knowing it. An unregistered delegation is no delegation at all.
The fix: Visit the Information Regulator's portal and complete the Information Officer registration. It is free and takes approximately 20 minutes. If you are delegating the role to a senior employee rather than retaining it at MD level, the delegation must be done in writing and the deputy Information Officer must also be registered.
Mistake 3: No PAIA Manual
The Promotion of Access to Information Act (PAIA) requires all private bodies to prepare a manual that describes the records they hold, the categories of personal information they process, and the procedure for submitting a formal access request. This requirement predates POPIA and is separate from it — but non-compliance with PAIA is also a POPIA compliance failure under the openness condition.
The overwhelming majority of South African SMEs have never heard of the PAIA manual requirement, let alone prepared one. For organisations with more than 50 employees, the manual must be submitted to the South African Human Rights Commission. For smaller organisations, it must be publicly available on request.
The fix: Prepare a PAIA manual using the template provided by the South African Human Rights Commission. The manual must describe your organisation's structure, the categories of records you hold, the personal information you process, and the procedure for access requests. A compliance consultant can prepare this document in a few hours based on your data inventory.
Mistake 4: No Data Inventory
You cannot manage, protect, or report on personal information you do not know you have. A data inventory — also called a record of processing activities (ROPA) — is the foundation of all other POPIA compliance work.
Without a data inventory, you cannot:
- Write an accurate privacy policy
- Define appropriate retention periods
- Identify which departments need staff training
- Scope a data breach notification accurately
- Respond correctly to a data subject access request
Yet most South African SMEs have never systematically mapped what personal information they hold, where it is stored, who has access to it, or how long it is kept.
The fix: Conduct a data inventory workshop with representatives from each department. Document every category of personal information collected, the source, the processing purpose, the lawful basis, the storage location, the retention period, and who has access. This exercise typically takes one to two days for an SME and is the most valuable single compliance activity you can undertake.
Mistake 5: Ignoring Data Subject Rights
POPIA gives individuals the right to access information held about them, request corrections, object to processing, and request deletion. These rights exist regardless of whether the data subject is a customer, employee, supplier, or job applicant.
Many organisations have no procedure for handling these requests. When a request arrives — and they do arrive, with increasing frequency as awareness of POPIA grows — the organisation does not know who should receive it, what the response timeline is, or what information they are obligated to provide.
Ignored or inadequately handled data subject requests are one of the most common triggers for Information Regulator complaints, because the path from request to complaint is short and straightforward: the data subject submits a request, receives no adequate response, and submits a complaint to the Regulator. The Regulator can act on this quickly.
The fix: Designate a named contact (typically the Information Officer) for all data subject requests. Document the procedure: how requests are received, who processes them, what the response timeline is (the Act requires a response within a reasonable period — 30 days is the generally accepted standard), and how responses are recorded. Publish the contact details in your privacy policy so data subjects know how to submit a request.
Mistake 6: No Breach Response Procedure
POPIA Section 22 requires organisations to notify the Information Regulator and affected data subjects "as soon as reasonably possible" after becoming aware of a security compromise involving personal information. Practically, this is understood to mean within 72 hours for the Regulator notification.
Most South African businesses have no documented breach response procedure. When an incident occurs — ransomware, a misdirected email containing personal information, a stolen laptop, an unauthorised system access — they are making decisions under pressure without any framework. They often miss the notification window, inadvertently worsen the exposure, or fail to preserve evidence that would have supported their position before the Regulator.
The fix: Document a breach response procedure before you need it. The procedure should cover: who declares an incident, how the scope is assessed, who notifies the Regulator and how, how affected data subjects are notified, how evidence is preserved, and how the incident is recorded. Run a tabletop exercise annually to test whether the procedure actually works.
Mistake 7: No Technical Security Measures for Personal Information
POPIA's security safeguards condition requires organisations to implement appropriate technical and organisational measures to prevent loss, damage, and unauthorised access to personal information. This is not a vague aspiration — it is a legal obligation with specific practical implications.
The most common technical gap we find: no tested backup of personal information. An organisation that processes customer records, employee data, or any other personal information and does not have a tested, off-network backup cannot demonstrate that it has taken appropriate measures to prevent data loss. This is simultaneously a POPIA compliance failure and a business continuity failure.
Other common technical gaps include: no access controls (all staff can access all data), personal information stored in unencrypted email attachments or shared drives with no access restriction, and no staff training on data handling — which means the organisational measures required alongside technical measures are also absent.
The fix: Conduct a technical security review with reference to the specific categories of personal information you process. Implement access controls so that personal information is accessible only to staff who need it for their role. Ensure personal information is encrypted in transit and at rest. Implement a tested, off-network backup strategy. Deliver and record annual staff training on data handling and security awareness.
The Common Thread
All seven of these mistakes share an underlying cause: POPIA compliance was treated as a one-off legal task rather than an ongoing operational responsibility. A policy was drafted, a consultant was engaged, a training session was held — and then the matter was filed away.
POPIA compliance requires the same ongoing attention as financial compliance or health and safety. It needs an owner (the Information Officer), documented procedures, regular reviews, and evidence of continuous operation.
Our POPIA Assessment evaluates your organisation against all eight conditions of the Act and gives you a prioritised remediation plan. Most organisations that complete it are surprised both by the gaps they find and by how achievable the remediation is.