Building Your Data Processing Register from Scratch

Building Your Data Processing Register from Scratch

If you are an SA SME just starting your POPIA compliance programme, one of the first practical tasks on your list is creating a data processing register — sometimes called a record of processing activities. This guide walks through what the register is, why it matters, and how to approach building one for your business.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What is a data processing register?

A data processing register is an internal document — or set of documents — that records all the ways your business collects, uses, stores, shares, and deletes personal information. Think of it as a map of how personal data moves through your organisation.

POPIA section 17 requires a responsible party (that is, the person or business that determines the purpose of and means for processing personal information) to maintain documentation of all processing operations under their responsibility. The Information Regulator has confirmed that this obligation applies to businesses of all sizes, including SMEs. You can read the Regulator's published guidance at inforegulator.org.za.

---

Why does it matter for your business?

Beyond regulatory compliance, a well-maintained register gives you three practical benefits:

1. Clarity. You will know exactly what personal information your business holds, where it came from, and who has access to it.
2. Accountability. If the Information Regulator or a data subject ever asks how you process personal information, the register is your first line of evidence that your programme is real and not just a policy document gathering dust.
3. Risk visibility. The process of building the register often surfaces risks you did not know existed — an old spreadsheet of customer contact details, a third-party app that stores employee records in an unknown location, or a marketing list that pre-dates POPIA's opt-in requirements under section 69.

---

What should the register contain?

There is no single prescribed format under POPIA, but Information Regulator guidance and standard practice point to the following fields for each processing activity:

| Field | What to capture | |---|---| | Name of the processing activity | A plain description, e.g. "Customer invoicing" or "Staff payroll" | | Category of personal information | E.g. contact details, financial information, health data | | Data subjects affected | E.g. customers, employees, suppliers, website visitors | | Purpose of processing | Why you collect and use this information (linked to section 13) | | Lawful basis | The justification under section 11 — consent, contract, legal obligation, legitimate interest, etc. | | Retention period | How long you keep the data and why (linked to section 14) | | Who has access / third-party processors | Internal roles and any external processors or operators | | Cross-border transfers | Whether data leaves South Africa (relevant to section 72) | | Security measures | A brief note on the controls protecting this data (linked to section 19) | | Date last reviewed | Keep the register a living document |

If any processing involves special personal information — such as health data, biometric data, or information about criminal behaviour — POPIA sets stricter rules. Refer to section 26 and section 27, and take specific advice from a qualified attorney before processing such data.

---

A step-by-step approach for SMEs

Step 1 — Appoint or confirm your Information Officer

POPIA section 55 sets out the duties of the Information Officer. In most SMEs this is the owner or a senior manager. The Information Officer is responsible for ensuring the register is created and maintained. Your Information Officer must be registered with the Information Regulator — see inforegulator.org.za for the online registration process.

Step 2 — Conduct a data discovery exercise

Before you can document processing, you need to know what is happening. Walk through each department or function in your business and ask: - What personal information do we collect here? - Where does it come from (forms, emails, third-party systems)? - Where is it stored? - Who can access it? - How long do we keep it?

For a small business, this might be a single afternoon's exercise. For a business with multiple systems and staff, budget more time.

Step 3 — Create your register template

A simple spreadsheet works well to start. Use the field list above as your column headings. Resist the urge to over-engineer the format at this stage — a basic register you actually maintain is far more valuable than a complex one that sits untouched.

Step 4 — Populate one processing activity at a time

Start with your highest-risk or highest-volume activities: customer records, employee records, and any data shared with third parties. Work through the data discovery findings and fill in each row. Where you are uncertain about the lawful basis or retention period, flag the row for review rather than guessing.

Step 5 — Review and sign off

Once the first draft is complete, your Information Officer should review each entry for accuracy. Note any gaps or risks you have identified, and create action items to address them — for example, updating a data collection notice to comply with section 18, or putting a data processing agreement in place with an operator.

Step 6 — Schedule regular reviews

The register is not a once-off exercise. Set a calendar reminder to review it at least annually, and update it any time you introduce a new system, change a supplier, or launch a new product or service that involves personal information.

---

Common mistakes to avoid

• Treating the register as a tick-box exercise. The value lies in the process of building it, not the document itself.
• Leaving it with one person. If only one person knows where the register is and what it contains, your programme is fragile.
• Forgetting operators. Third-party service providers who process personal information on your behalf — payroll bureaus, cloud storage providers, email marketing platforms — must appear in your register. POPIA requires that your relationship with operators is governed by written agreements.
• Ignoring retention. Many SMEs collect data but never delete it. Section 14 of POPIA sets out the framework for how long personal information may be retained. Build a retention schedule alongside your register.

---

Useful resources

• Information Regulator (South Africa): inforegulator.org.za
• POPIA full text (Government Gazette): gov.za

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation — including decisions about lawful basis, retention periods, and special personal information — consult a qualified attorney.