One often hears business-owners saying that they have not bothered to spend money on becoming POPIA compliant because there have not yet been any consequences for non-compliance. This is true, because the majority of the Act has only come into force with effect 1 July 2020 (and you are afforded a year to get yourself compliant).

To quote former U.S. Deputy Attorney General Paul McNulty: “If you think compliance is expensive, try non-compliance.” The same rings true for POPIA, as severe penalties may be imposed for non¬compliance with the provisions of the Act and due to changing consumer expectations that necessitate privacy policies to be in place. Some research even indicates that the financial benefit of businesses that invest in strong data protection practices may far outweigh the costs associated with becoming compliant. This is because compliance with data protection and privacy standards will likely increase customer confidence in organisations that prioritise POPIA compliance.

Here are a few tips on how to start planning your POPIA compliance project and include POPIA in your annual budget planning:

Assemble a POPIA compliance project team

Determine who will be the Information Officer and Deputy Information Officers for your business. The Information Officer is an individual within an entity or institution, who is charged with ensuring compliance with POPIA and being responsible for the governance, management and security of personal information. The default Information Officer will generally be the executive head of that entity or institution, as well as any person duly appointed by the Information Officer to perform his or her duties.
After identifying the above individuals, consider adding the IT-guy, HR, sales and legal to the POPIA compliance team to ensure that all bases of your business are covered, as these different departments may offer valuable insight on how POPIA should be implemented practically across the full spectrum of your business.

Conduct a preliminary investigation

Now that you have a task force assembled, get the POPIA compliance team to consider the following as a preliminary investigation aimed to establish how your business processes personal information:

What customer information does your business collect? How does your business store the customer information which you collect? Where is the customer information stored and who has access thereto? Is the information of customers transferred to any third-party operators? What employee information do you have and where do you store it? Who has access to employees HR files and to which third-parties is information shared (such as pension funds, medical aid, etc.)?What services providers does your business use and do they have access to your customer or employee information? How secure is the personal information which you store (think about physical barriers as well as technical security measures such as anti-virus programmes which you use)?Does your business engage in direct marketing and how is this done (electronically or by telephone/in person)?How is the personal information that your business collects and stores eventually destroyed? Is the method of destruction and/or deletion secure? Does your business sell any data that may contain personal information of others?

Work out a budget

Once you have an idea of what needs to happen and who will be on the POPIA compliance team for your business, you can get a better sense of how much outside help you will most likely need in order to become POPIA compliant. Ask a few service providers to send quotes to get the compliance process started.

Ask for help and approach experts

Don't be scared to approach legal and IT experts for assistance to become fully POPIA compliant as data and privacy protection is a specialised field. Most businesses will not have the necessary tools or knowledge to do everything themselves.

Review your current policies

Get updated copies of all your policies which may involve elements related to the processing of information (think information security management, marketing or HR policies) and review them or have them reviewed by legal experts.

Consider whether these policies contain anything relating to personal information and whether it adequately describes how such information will be protected or sets out measures to be taken in order to ensure that data is handled in a secure manner. If gaps are identified in certain policies, make a list for future reference in order to include in your POPIA compliance plan and which can policies can be updated and implemented over time.

Draft a POPIA compliance plan and policy

Plan on how to achieve POPIA compliance and incorporate it in a formal business plan. This plan should clearly set out how your business will aim to become POPIA compliant and have set deadlines to achieve identified goals. The ultimate aim is to develop an overarching POPIA policy which sets out the implementation plan and how the business deals with the processing of personal information in a manner which is consistent with the provisions of POPIA from point of initial contact to destruction/deletion of such information.


Last thoughts: It is understandable if POPIA is not your first priority at the moment. You have a lot of other things on your mind and may be stuck in crisis control or survival mode. We all know the saying that “summer bodies are made in winter”. Well, perhaps the same may be said for your business' POPIA compliance in the time of Covid-19: work hard on compliance now in order to reap the benefits later when the sun starts shining again.

Article shared by Juanita van Zyl, Phatshoane Henney Group of Attorneys