The Protection of Personal Information Act (POPIA) has been fully enforceable since July 2021, yet many South African businesses are still scrambling to achieve compliance. With the Information Regulator actively investigating complaints and issuing enforcement notices, the time for procrastination is over.
Non-compliance can result in fines of up to R10 million, imprisonment for responsible individuals, and devastating reputational damage. But beyond avoiding penalties, POPIA compliance builds trust with your customers and partners.
This comprehensive checklist will help you assess your current compliance status and identify areas that need attention.
Understanding POPIA Basics
Before diving into the checklist, let's clarify key concepts:
- Personal Information: Any information that can identify a living person—names, ID numbers, email addresses, location data, and more
- Data Subject: The individual whose personal information you're processing
- Responsible Party: Your organisation—the entity that determines why and how personal information is processed
- Operator: Third parties that process data on your behalf (like cloud providers or payroll services)
- Information Officer: The person accountable for your organisation's POPIA compliance
The POPIA Compliance Checklist
1. Governance and Accountability
☐ Appoint an Information Officer Every organisation must have a designated Information Officer registered with the Information Regulator. For companies, this is typically a director or prescribed officer.
☐ Register with the Information Regulator Your Information Officer must be registered on the Information Regulator's website. This registration is free and mandatory.
☐ Develop a Privacy Policy Create a clear, accessible privacy policy that explains:
- What personal information you collect
- Why you collect it
- How you use and protect it
- How long you keep it
- Data subject rights and how to exercise them
☐ Create Internal Policies and Procedures Document your data handling practices:
- Data classification guidelines
- Access control policies
- Data retention schedules
- Incident response procedures
2. Lawful Processing
POPIA requires a lawful basis for processing personal information. Ensure you can justify every type of data you collect.
☐ Identify Your Lawful Basis For each category of personal information, document your lawful basis:
- Consent from the data subject
- Contractual necessity
- Legal obligation
- Legitimate interest
- Protection of a data subject's legitimate interest
☐ Review Consent Mechanisms If relying on consent:
- Is it freely given, specific, and informed?
- Can data subjects withdraw consent easily?
- Do you have records of consent?
- Is consent requested separately from other terms?
☐ Minimise Data Collection Only collect personal information that is directly relevant to your purpose. If you don't need it, don't collect it.
3. Direct Marketing Compliance
POPIA has specific rules for marketing communications.
☐ Obtain Opt-In Consent for Marketing Direct marketing requires prior consent unless you have an existing customer relationship and are marketing similar products.
☐ Provide Easy Opt-Out Every marketing communication must include a clear, free mechanism to opt out of future communications.
☐ Maintain Opt-Out Lists Keep accurate records of individuals who have opted out and ensure they don't receive further marketing.
4. Data Subject Rights
POPIA grants individuals specific rights that your organisation must honour.
☐ Establish Request Handling Procedures Create processes to handle:
- Access requests: Individuals can request details of what information you hold
- Correction requests: Individuals can request inaccurate information be corrected
- Deletion requests: Individuals can request their information be deleted (subject to retention requirements)
- Objection to processing: Individuals can object to certain types of processing
☐ Respond Within Required Timeframes You must acknowledge requests immediately and respond substantively within a reasonable time.
☐ Provide Information for Free The first request should be free of charge, with reasonable fees permitted only for subsequent requests.
5. Data Security
POPIA requires appropriate technical and organisational measures to protect personal information.
☐ Implement Access Controls
- Role-based access—employees only access data they need
- Unique user accounts—no shared logins
- Strong password policies and MFA
- Regular access reviews
☐ Encrypt Sensitive Data
- Encrypt data at rest (stored data)
- Encrypt data in transit (communications)
- Secure key management
☐ Secure Physical Records Paper documents containing personal information must be:
- Stored in locked cabinets
- Accessed only by authorised personnel
- Securely destroyed when no longer needed
☐ Deploy Security Technologies
- Firewalls and intrusion detection
- Endpoint protection (antivirus/EDR)
- Email security and spam filtering
- Regular security updates and patching
☐ Conduct Regular Security Assessments
- Vulnerability scans
- Penetration testing
- Security audits
6. Third-Party Management
When you share personal information with operators (service providers), you remain responsible for its protection.
☐ Conduct Due Diligence on Operators Before engaging service providers that process personal information:
- Assess their security practices
- Review their privacy policies
- Verify their compliance status
☐ Implement Written Agreements Operator agreements must include:
- Processing only on your instructions
- Confidentiality obligations
- Security requirements
- Breach notification obligations
- Deletion or return of data on termination
☐ Monitor Operator Compliance Regularly review that operators are meeting their obligations.
7. Cross-Border Data Transfers
POPIA restricts transfers of personal information outside South Africa.
☐ Identify Cross-Border Transfers Document where personal information is transferred internationally, including:
- Cloud services hosted overseas
- International group companies
- Offshore support providers
☐ Ensure Adequate Protection Cross-border transfers are only permitted if the recipient:
- Is in a country with adequate data protection laws
- Is bound by a binding agreement
- Has obtained consent from the data subject
- Is necessary for contract performance
8. Data Breach Management
Security incidents involving personal information trigger notification obligations.
☐ Develop an Incident Response Plan Document procedures for:
- Detecting and containing breaches
- Assessing the impact and risk
- Notifying the Information Regulator
- Notifying affected data subjects
- Documenting and learning from incidents
☐ Establish Notification Procedures If a breach poses a risk of harm to data subjects, you must notify:
- The Information Regulator as soon as reasonably possible
- Affected data subjects without delay
☐ Maintain Breach Records Keep records of all security incidents, even those that don't require notification.
9. Data Retention and Destruction
Personal information must not be kept longer than necessary.
☐ Develop a Retention Schedule Document how long you keep each category of personal information and the legal basis for retention periods.
☐ Implement Secure Destruction When retention periods expire:
- Securely delete electronic records (not just delete—proper wiping)
- Shred physical documents
- Ensure operators also destroy data
☐ Document Destruction Maintain records of what was destroyed and when.
10. Training and Awareness
Compliance requires that everyone in your organisation understands their responsibilities.
☐ Train All Employees Conduct regular training covering:
- POPIA basics and why it matters
- How to handle personal information
- Recognising and reporting breaches
- Data subject rights and requests
☐ Specialised Training for Key Roles Provide additional training for:
- Information Officer and deputies
- HR and recruitment staff
- Marketing teams
- IT and security personnel
Getting Started with POPIA Compliance
If this checklist reveals gaps in your compliance, don't panic—but do act. Start with:
- Appoint your Information Officer and register with the Information Regulator
- Map your data—understand what personal information you hold and where
- Address high-risk gaps—security vulnerabilities and missing consent
- Document everything—policies, procedures, and decisions
- Build ongoing processes—compliance isn't a one-time project
Need Help with POPIA Compliance?
POPIA compliance can feel overwhelming, especially when you're trying to run a business. The good news is you don't have to figure it out alone.
Dexani helps South African businesses achieve and maintain POPIA compliance. From data mapping and policy development to implementing security controls and training your team, we provide the expertise you need.
Take the first step today. Contact Dexani for a POPIA readiness assessment and discover how we can help protect your business and your customers.
Dexani is a Managed IT Services Provider specialising in compliance, cybersecurity, and IT support for South African businesses.