Starting your POPIA compliance journey can feel overwhelming, but breaking it into manageable steps makes it achievable. This 30-day starter plan gives South African SME owners a practical framework for getting the basics in place — one week at a time.
> Disclaimer: This article is general information based on published Information Regulator guidance. It is not legal advice. For your specific situation, consult a qualified attorney.
---
Why bother? A quick recap
The Protection of Personal Information Act (POPIA) governs how South African businesses collect, store, use, and share personal information. The Information Regulator — the body responsible for enforcement — can investigate complaints, issue enforcement notices, and refer matters for prosecution. Beyond the regulatory risk, handling personal information responsibly builds trust with your customers, suppliers, and staff.
This plan is not exhaustive, and your business may have specific requirements that go beyond these steps. Think of it as a running start, not a finish line.
---
Week 1 (Days 1–7): Know what you have
Day 1–2: Appoint an Information Officer
POPIA requires every responsible party (that is, the business deciding how and why personal information is processed) to have an Information Officer. For most SMEs, this is the owner or a senior manager. POPIA section 55 sets out the duties of the Information Officer, which include encouraging compliance, dealing with requests from data subjects, and working with the Information Regulator when required.
Once you have identified the person, register them with the Information Regulator at inforegulator.org.za. Registration is mandatory and free.
Day 3–5: Map your personal information
Before you can protect data, you need to know what you hold. Walk through every part of your business — customer records, employee files, supplier contacts, email lists, CCTV footage, website analytics — and list:
- What personal information you collect
- Where it lives (cloud storage, spreadsheets, accounting software, paper files)
- Who has access
- Why you collected it in the first place
This exercise feeds directly into the record of processing activities that POPIA section 17 describes.
Day 6–7: Understand your lawful basis
POPIA section 11 sets out the grounds on which processing personal information is lawful — consent from the data subject, a contract, a legal obligation, protecting the data subject's interests, a public-law duty, or a legitimate interest. For each category of information you mapped, identify which ground applies. If you cannot identify one, that is a red flag worth discussing with a qualified attorney.
---
Week 2 (Days 8–14): Sort out your policies and notices
Day 8–10: Draft a privacy notice
POPIA section 18 requires that when you collect personal information directly from a data subject, you notify them of key facts: who you are, what information you are collecting, why, whether they are required to provide it, and their rights. This is typically done through a privacy notice on your website, in a contract, or at the point of collection (such as a sign-up form).
Keep the language plain. A notice no one reads because it is buried in jargon does not serve its purpose.
Day 11–12: Review your consent mechanisms
Where you rely on consent as your lawful basis, that consent must be freely given, specific, and informed. Check your sign-up forms, email subscription flows, and any paper forms you use. Pre-ticked boxes do not constitute valid consent under POPIA.
If you send marketing emails or SMS messages, POPIA section 69 is especially relevant: electronic direct marketing requires an opt-in from the recipient, and existing customers must be given a clear opportunity to opt out of future communications.
Day 13–14: Draft a basic internal privacy policy
Your staff need to know how your business handles personal information. A short internal policy covering acceptable use of customer data, password and device rules, and what to do if something goes wrong goes a long way toward building a compliance culture.
---
Week 3 (Days 15–21): Secure the information you hold
Day 15–17: Assess your technical safeguards
POPIA section 19 requires responsible parties to take reasonable measures to secure personal information against loss, damage, or unauthorised access. For most SMEs, reasonable measures include:
- Strong, unique passwords and two-factor authentication on all accounts that hold personal data
- Up-to-date antivirus and firewall software
- Encrypted storage for sensitive files
- Limited access: staff should only see the data they need to do their job
Day 18–19: Check your third-party processors
If another business processes personal information on your behalf — a payroll bureau, a cloud CRM provider, a marketing agency — POPIA requires you to have a written contract in place that obliges them to treat the data with the same level of care you are required to apply. Review your key supplier agreements and identify any gaps.
Day 20–21: Set up a breach response checklist
POPIA section 22 requires that if a security compromise occurs — a data breach, a ransomware attack, a lost laptop — you notify both the Information Regulator and affected data subjects as soon as reasonably possible. Draft a one-page checklist now so that if something does go wrong, you are not starting from scratch under pressure. The checklist should include: who to call, what to document, and how to notify the Regulator at inforegulator.org.za.
---
Week 4 (Days 22–30): Embed and document
Day 22–24: Set a data retention schedule
POPIA section 14 addresses how long personal information may be kept. The general principle is that you should not hold personal information for longer than is necessary for the purpose for which it was collected. Review your records and set a schedule: when does each category of data get deleted or de-identified?
Note that other laws — such as the Companies Act and SARS requirements — may impose their own minimum retention periods. Where those overlap with POPIA, the longer obligation typically governs. A qualified attorney or accountant can help you reconcile these.
Day 25–27: Document your processing activities
Bring your week-one mapping exercise into a formal record. POPIA section 17 describes the obligation to maintain documentation of processing activities. This does not need to be elaborate — a well-organised spreadsheet listing each category of data, its purpose, lawful basis, retention period, and who is responsible is a solid foundation.
Day 28–29: Train your team
Compliance is only as strong as the people handling data day to day. Hold a short briefing with any staff who touch personal information. Cover the basics: what counts as personal information, how to handle a data subject access request (POPIA section 23 gives data subjects the right to ask what information you hold about them), and what to do if they suspect a breach.
Day 30: Review and plan forward
Conduct a quick self-audit against everything above. What is in place? What still has gaps? Prioritise the gaps and set a realistic timeline to close them. POPIA compliance is not a once-off project — it requires ongoing attention as your business grows and as the Information Regulator issues new guidance.
---
What comes next?
Once the basics are in place, you can look at more advanced topics: conducting a formal Privacy Impact Assessment before launching a new product, reviewing whether any personal information is transferred outside South Africa (POPIA section 72 sets conditions for cross-border transfers), or developing a more detailed data subject rights procedure.
Khanyitas is designed to help South African SMEs manage exactly this kind of ongoing compliance work — from maintaining your record of processing activities to tracking data subject requests and breach notifications.
---
> Disclaimer: This article is general information based on published Information Regulator guidance. It is not legal advice. For your specific situation, consult a qualified attorney.