What is POPIA?
South Africa's data protection law
The Protection of Personal Information Act (POPIA), Act 4 of 2013, became fully enforceable on 1 July 2021. It regulates how organisations collect, store, use, share, and destroy personal information — covering both employee data and customer data.
Every South African business that processes personal information must comply. POPIA isn't optional — and the consequences of non-compliance include fines up to R10 million, imprisonment, civil claims, and serious reputational damage.
The risks of non-compliance
Fines up to R10 million
Or imprisonment of up to 10 years for responsible parties, under section 107 of POPIA.
Reputational damage
A data breach or compliance failure can permanently damage your relationship with clients and staff.
Civil claims
Data subjects whose information is mishandled can pursue civil damages against your organisation.
Regulatory investigations
The Information Regulator has the power to investigate, audit, and enforce against non-compliant organisations.
What we do
Our POPIA compliance services
POPIA Compliance Audit
We assess how your business collects, stores, uses, and shares personal information — identifying gaps and non-compliant practices before they attract penalties.
Information Officer Appointment
POPIA requires every business to appoint an Information Officer. We handle the formal appointment and provide training so your officer understands their responsibilities.
Privacy Policy Development
We draft and implement POPIA-compliant privacy policies, consent forms, and data processing agreements tailored to your business operations.
Consent Procedures
We establish clear consent procedures for collecting and using personal information from employees, clients, and third parties — covering all lawful processing conditions.
Data Breach Protocols
We develop incident response plans and data breach notification procedures, ensuring you respond lawfully and promptly if a breach occurs.
Ongoing POPIA Management
For retainer clients, we provide ongoing POPIA compliance monitoring, policy updates as legislation evolves, and support for data subject access requests.
Staff Training — Videos & Knowledge Tests
We provide structured POPIA training for all staff through instructional videos and assessed knowledge tests — creating documented proof that employees understand their data protection obligations. Training records and pass certificates are maintained as evidence of your compliance programme.
Who This Affects
Does POPIA apply to your business?
POPIA applies to any organisation operating in South Africa that processes personal information. If any of the following apply, you need to be compliant.
Any business that collects employee or customer data
Organisations handling sensitive personal information (health, financial, or biometric data)
Businesses using CCTV, access control, or monitoring systems
Companies onboarding staff with background checks or credential verification
Schools and educational institutions holding learner and parent records
Healthcare providers, legal firms, and financial services organisations
Any South African entity processing personal information
Legal Framework
Legislation that applies
Act 4 of 2013
Protection of Personal Information Act (POPIA)
South Africa's primary data protection legislation. Regulates the collection, storage, use, and sharing of personal information. Became fully enforceable on 1 July 2021.
Act 25 of 2002
Electronic Communications and Transactions Act (ECTA)
Governs electronic communications and transactions, including requirements around data security and electronic records.
Act 66 of 1995
Labour Relations Act (LRA)
Intersects with POPIA in the context of employee monitoring, disciplinary records, and workplace surveillance.
Act 75 of 1997
Basic Conditions of Employment Act (BCEA)
Employee records retention requirements must be managed in compliance with both the BCEA and POPIA.
Common questions about POPIA compliance
POPIA FAQs
Clear answers to help you understand your obligations under South African data protection law.
Book a POPIA compliance consultation
Does POPIA apply to my small business?
What happens if we haven't appointed an Information Officer?
We already have a privacy policy from our website provider. Is that enough?
How does POPIA affect our HR processes?
What is a data subject access request?
How quickly can OptiHR get us compliant?
Get POPIA compliant — before the Regulator comes knocking.
POPIA compliance is not a once-off exercise — it's an ongoing obligation. OptiHR provides pragmatic, business-friendly POPIA compliance support that protects your organisation without disrupting your operations.
Book your POPIA compliance consultation
