Compliance writing for South African small businesses.
Plain-language explainers on POPIA, FICA, and the Companies Act, grounded in published Information Regulator guidance. Every article links to primary sources so you can check our work.
A 30-Day POPIA Compliance Starter Plan for Small Businesses
23 May 2026
Starting your POPIA compliance journey can feel overwhelming, but breaking it into manageable steps makes it achievable. This 30-day starter plan gives South African SME owners a practical framework for getting the basics in place — one wee
POPIA and Cookie Consent: What South African Website Owners Need to Know
23 May 2026
If you run a website that targets or serves South African users, the Protection of Personal Information Act (POPIA) has implications for how you collect and use cookie data. This article walks through what the Act says about cookies, what t
POPIA Staff Training: What's Actually Required
23 May 2026
For Information Officers and HR managers trying to get their organisations compliant, staff training is one of the most visible — and most misunderstood — requirements under the Protection of Personal Information Act. This article unpacks w
Building Your Data Processing Register from Scratch
23 May 2026
If you are an SA SME just starting your POPIA compliance programme, one of the first practical tasks on your list is creating a data processing register — sometimes called a record of processing activities. This guide walks through what the
POPIA and FICA for Estate Agents: Two Laws, One Client File
23 May 2026
Every time a property practitioner opens a new client file, two separate pieces of legislation quietly activate. The Protection of Personal Information Act (POPIA) governs how you collect and handle your client's personal data. The Financia
Responding to a POPIA Data Subject Access Request: A Step-by-Step Guide for Information Officers
23 May 2026
If you have recently been appointed as your organisation's Information Officer, one of the tasks you may encounter early on is handling a data subject access request (DSAR). POPIA section 23 gives individuals the right to ask whether you ho
Operators vs Responsible Parties Under POPIA: Who Bears the Liability?
23 May 2026
If your business outsources any data processing — payroll, cloud storage, email marketing, HR software — understanding the distinction between a responsible party and an operator under the Protection of Personal Information Act (POPIA) is e
POPIA and CCTV: Workplace Surveillance Done Right
23 May 2026
CCTV cameras are a practical reality for many South African businesses — whether you are protecting stock in a retail store, securing a warehouse, or monitoring access to a server room. But footage of identifiable employees and visitors is
Operator Agreements Under POPIA: What Businesses Need to Know About Data Processing Contracts
23 May 2026
Disclaimer: This article is general information based on published Information Regulator guidance and the text of the Protection of Personal Information Act 4 of 2013. It is not legal advice. For your specific situation, consult a qualified
POPIA for Medical Aid and Insurance Brokers: Handling Special Personal Information
23 May 2026
If you broker medical aid or insurance products in South Africa, the personal information you collect sits in a different category under the Protection of Personal Information Act (POPIA) — one that carries stricter obligations. Understandi
POPIA for Body Corporates and Homeowners' Associations: What Trustees and Managing Agents Need to Know
23 May 2026
Body corporates and homeowners' associations (HOAs) collect, store, and share a surprising amount of personal information every day — owner contact details, levy payment histories, visitor logs, security footage, and more. The Protection of
POPIA Compliance for Non-Profits and NPCs: What Your Organisation Needs to Know
23 May 2026
Non-profit organisations (NPOs) and non-profit companies (NPCs) handle personal information constantly — donor records, beneficiary files, volunteer details, and staff data all fall squarely within the scope of the Protection of Personal In
POPIA for Financial Advisors and FSPs: What the Act Means for Your Client Data
23 May 2026
Financial advisors and Financial Services Providers (FSPs) sit at the intersection of two demanding regulatory frameworks: the Financial Advisory and Intermediary Services Act (FAIS) and the Protection of Personal Information Act (POPIA). B
POPIA for E-Commerce: What South African Online Stores Need to Know
23 May 2026
Running an online store in South Africa means handling a constant stream of personal information — names, email addresses, delivery addresses, payment details, and browsing behaviour. The Protection of Personal Information Act (POPIA) sets
POPIA and Schools: What Administrators and ECD Operators Need to Know About Learner Information
23 May 2026
South African schools and Early Childhood Development (ECD) centres collect a remarkable amount of personal information every day — enrolment forms, health records, progress reports, photos, emergency contacts, and more. Much of this inform
POPIA for Healthcare Practices: What Doctors, Dentists, and Practice Managers Need to Know About Patient Information
23 May 2026
South Africa's Protection of Personal Information Act (POPIA) applies to every organisation that processes personal information — and for healthcare practices, the obligations run deeper than most. Patient records contain health data, which
Filing Your Beneficial Ownership Declaration with CIPC: A Step-by-Step Guide
23 May 2026
If you are a director of a South African company, you may have received a notification that your company is required to file a beneficial ownership (BO) declaration with the Companies and Intellectual Property Commission (CIPC). If this is
Companies Act Record Retention: What Company Secretaries and Bookkeepers Need to Know
23 May 2026
*This article is general information based on publicly available legislation and published regulatory guidance. It is not legal advice. For your specific situation, consult a qualified attorney or compliance professional.*
CIPC Compliance for Small Private Companies: The Essentials
23 May 2026
Running a small private company in South Africa comes with a set of ongoing obligations to the Companies and Intellectual Property Commission (CIPC). Missing a filing deadline or letting your records slip can result in penalties, deregistra
Director Duties Under the Companies Act, in Plain Language
23 May 2026
Congratulations — or perhaps commiserations — you are now a director of a South African company. The title comes with real authority, but it also comes with serious legal responsibilities. Many first-time directors are surprised to discover
The Statutory Registers Every South African Company Must Maintain
23 May 2026
Running a compliant South African company means more than filing annual returns and keeping the taxman happy. The Companies Act 71 of 2008 requires every company to maintain a set of statutory registers — structured records that document th
CIPC Annual Returns: Deadlines, Fees, and Deregistration Risk
23 May 2026
If you run a small private company in South Africa, filing your CIPC annual return is one of the few non-negotiable administrative tasks on your calendar. Miss it and your company can be deregistered — meaning it legally ceases to exist. Th
The Beneficial Ownership Register: What CIPC's 2023 Requirement Means for Your Company
23 May 2026
In 2023, the Companies and Intellectual Property Commission (CIPC) introduced a requirement for South African companies to maintain and file a beneficial ownership register. For directors and company secretaries, understanding what this mea
Do I Need to Register My Business with the FIC?
23 May 2026
If you run a small or medium business in South Africa, you may have heard the term "FIC registration" and wondered whether it applies to you. The Financial Intelligence Centre (FIC) is the country's anti-money-laundering (AML) authority, an
FICA Record-Keeping: What to Keep and for How Long
23 May 2026
For accountable institutions in South Africa, maintaining the right records for the right period is one of the most practical — and inspected — parts of your anti-money laundering (AML) compliance programme. The Financial Intelligence Centr
PEP Screening Under FICA: What Accountable Institutions Need to Know
23 May 2026
For compliance teams at Accountable Institutions, identifying and managing relationships with Politically Exposed Persons (PEPs) is one of the more demanding elements of a risk-based compliance programme. This article outlines how the Finan
Suspicious Transaction Reporting to the FIC: What Accountable Institutions Need to Know
23 May 2026
If your business is an Accountable Institution under the Financial Intelligence Centre Act (FICA), reporting suspicious transactions to the Financial Intelligence Centre (FIC) is one of your core compliance obligations. This article explain
Identifying Beneficial Ownership Under FICA: A Practical Guide for Accountable Institutions
23 May 2026
When your institution onboards a company as a client, one of the most demanding tasks is identifying who ultimately owns or controls that entity. This is the beneficial ownership requirement under the Financial Intelligence Centre Act (FICA
FICA Customer Due Diligence (CDD) Explained for Accountable Institutions
23 May 2026
Customer due diligence is one of the cornerstones of South Africa's anti-money laundering and counter-terrorism financing framework. If your organisation is listed as an Accountable Institution under Schedule 1 of the Financial Intelligence
Writing a FICA Risk Management and Compliance Programme (RMCP): A Practical Guide for Accountable Institutions
23 May 2026
If your business is listed as an Accountable Institution under Schedule 1 of the Financial Intelligence Centre Act (FICA), you are required to have a documented Risk Management and Compliance Programme (RMCP). This guide explains what an RM
FICA Basics: What Every Accountable Institution Must Know
23 May 2026
South Africa's Financial Intelligence Centre Act (the FIC Act) places specific obligations on certain businesses — called Accountable Institutions — to help detect and prevent money laundering and the financing of terrorism. If you are an e
When a Customer Objects to Processing: What POPIA Section 11(3) Means for Your Business
23 May 2026
Receiving a formal objection to how your business processes someone's personal information can feel daunting. What exactly are you required to do? How quickly must you act? And what happens if you disagree with the objection? This article w
What Happens When a POPIA Complaint Reaches the Information Regulator?
23 May 2026
If a customer, employee, or other data subject believes your business has mishandled their personal information, they have the right to lodge a formal complaint with the Information Regulator. Understanding how that process unfolds can help
Building a POPIA Breach Response Plan Before You Need It
23 May 2026
For Information Officers at South African organisations, a security compromise is not a question of *if* but *when*. POPIA places clear obligations on responsible parties once a breach occurs — and the organisations that navigate those mome
How to Handle a Data Breach in the First 72 Hours Under POPIA
23 May 2026
A security incident is already stressful. Not knowing what you are required to do next makes it worse. This guide walks through the practical steps South African businesses typically take in the first 72 hours after discovering a data breac
POPIA Correction and Deletion Requests: What SA Businesses Need to Know
23 May 2026
When a customer, employee, or supplier asks you to fix or remove their personal information, that request carries legal weight under the Protection of Personal Information Act (POPIA). Understanding how these requests work — and what a busi
Keeping Personal Information Accurate: The POPIA Data Quality Condition
23 May 2026
For any South African business that holds a customer database, data quality is not just a housekeeping concern — it is a compliance obligation under the Protection of Personal Information Act (POPIA). Understanding what the Act requires aro
POPIA for HR: How South African Employers Should Handle Employee Personal Information
23 May 2026
The Protection of Personal Information Act (POPIA) does not stop at your customer database. It extends to every piece of personal information your business holds about its employees — from ID numbers and payslips to disciplinary records and
POPIA Penalties and Enforcement: What Actually Happens
23 May 2026
South African business owners often ask the same question: is the Information Regulator actually enforcing POPIA, and what is the real risk of getting it wrong? This article walks through what the enforcement process looks like, what penalt
Sending Personal Information Offshore: POPIA Section 72 Explained
23 May 2026
Many South African businesses use offshore cloud services — whether for payroll, CRM, email, storage, or accounting. If any of that infrastructure sits outside South Africa and processes personal information about South African data subject
POPIA Data Retention: How Long Can You Keep Personal Information?
23 May 2026
For many South African businesses, personal information accumulates quietly — in CRM systems, email threads, HR files, and customer databases. Knowing when to delete or anonymise that information is not just good housekeeping; it is a requi
POPIA and Direct Marketing: What the Section 69 Opt-In Rule Means for Your Business
23 May 2026
If your business sends promotional emails, SMS messages, or WhatsApp blasts to customers or prospects, POPIA's rules on electronic direct marketing apply to you. Section 69 of the Protection of Personal Information Act sets out when and how
Special Personal Information Under POPIA: What the Section 26 Rules Mean for Your Business
23 May 2026
If your business collects health records, biometric data, criminal histories, or information about employees' religious beliefs or trade union membership, POPIA places you in a higher-risk category. Two sections of the Act — section 26 and
POPIA Consent: When You Actually Need It (and When You Don't)
23 May 2026
Many South African business owners assume that POPIA means getting consent for everything. In practice, consent is just one of six lawful bases for processing personal information — and it is often not the most appropriate one. Understandin
The POPIA Information Officer: Duties, Registration, and What to Expect
23 May 2026
If your business operates in South Africa and processes personal information — which almost every business does — the Protection of Personal Information Act (POPIA) requires you to designate an Information Officer. This role sits at the cen
POPIA Section 11: The Six Lawful Bases for Personal Data Processing
23 May 2026
Every time your organisation processes personal data—whether you're collecting customer contact details, storing employee records, or maintaining a supplier database—you need a lawful basis to do so. In South Africa, that requirement comes
How to Write a POPIA-Compliant Privacy Notice: A Step-by-Step Guide for SA SMEs
23 May 2026
If you run a South African small or medium business and collect personal information from customers, employees, or suppliers—even just email addresses or phone numbers—you are legally required to have a privacy notice. This guide walks you
What data subjects can ask of you under POPIA — and how to respond
21 May 2026
Five sections of POPIA give data subjects rights you must respect: sections 23 (access), 24 (correction and deletion), 11(2)(b) (withdrawal of consent), 11(3) (objection), and 74 (complaint to the Regulator). The first two are where most en
FICA and POPIA: how the two laws fit together
21 May 2026
If your business is an Accountable Institution under the Financial Intelligence Centre Act (FICA) - an attorney, estate agent, financial advisor, motor-vehicle dealer above the threshold, bank, etc. - you have two compliance regimes pulling
POPIA essentials: what every South African small business must do
21 May 2026
If you run a small business in South Africa and you collect any personal information from anyone - a customer's email address, an employee's ID number, a supplier's banking details - POPIA applies to you. The Protection of Personal Informat