How to Write a POPIA-Compliant Privacy Notice: A Step-by-Step Guide for SA SMEs

# How to Write a POPIA-Compliant Privacy Notice

If you run a South African small or medium business and collect personal information from customers, employees, or suppliers—even just email addresses or phone numbers—you are legally required to have a privacy notice. This guide walks you through what a privacy notice is, why it matters, and how to build one that complies with the Protection of Personal Information Act (POPIA).

What is a privacy notice?

A privacy notice is a document that tells people how you collect, use, store, and protect their personal information. It answers questions like:

• Why are you asking for my email address?
• How long will you keep my data?
• Who else might see it?
• What are my rights?
• How do I complain if something goes wrong?

Under South African law, you must provide this information before or at the time you collect someone's data. This is called the notification principle, and it is a cornerstone of POPIA compliance.

Why POPIA section 18 matters

POPIA section 18 (Notification to data subjects) requires that a responsible party—that is, the person or company collecting the data—must notify data subjects of the prescribed information. The Information Regulator publishes detailed guidance on section 18 to help you understand what "prescribed information" means in practice.

In plain terms, section 18 says you must tell people what you are doing with their data, and you must do it clearly and in time.

What must your privacy notice include?

According to POPIA section 18 and the Regulator's guidance, your privacy notice must cover:

1. Identity and contact details of your business

State your company name, registration number (if applicable), physical address, email, and phone number. People need to know who is collecting their data.

Example: "*Acme Supplies (Pty) Ltd, Company Reg. No. 2024/123456, 42 Main Street, Johannesburg. Contact: privacy@acmesupplies.co.za or 011-555-0123.*"

2. Purpose of processing

Explain exactly why you are collecting the data. Be specific. "Improvement of services" is vague; "to send you monthly billing invoices and product updates" is clear.

Example: "*We collect your email address and phone number to send you order confirmations, delivery updates, and (if you opt in) news about special offers.*"

3. Legal basis

Why are you allowed to collect this data? Under POPIA, you must have a lawful basis. Common ones include:

• Consent – the person agrees.
• Contract – the data is needed to fulfil an order or service.
• Legal obligation – the law requires it (e.g., tax records for SARS).
• Legitimate interest – you have a genuine business reason and it does not unfairly harm the person.

State which one applies, and link to the relevant section of POPIA if possible.

4. Recipients of the data

Will you share the data with anyone else? For example:

• A payment processor (e.g., Stripe, PayFast).
• Your accountant or bookkeeper.
• A logistics partner for delivery.
• A cloud storage provider.

List them and explain why. If you do not share data, say so.

Example: "*We share your name and delivery address with our logistics partner, Last Mile Logistics, only to deliver your order. We do not sell or rent your data to third parties.*"

5. Retention period

How long will you keep the data? This depends on your business needs and legal obligations.

• Customer contact details – often kept for the life of the customer relationship, plus a few years for disputes or accounting purposes.
• Payment records – must be kept for at least 5 years for SARS compliance.
• Employee records – typically 3 years after employment ends, unless the law requires longer.

Be realistic and honest. Do not say "we delete everything after 30 days" if you actually keep email lists for years.

6. Data subject rights

Under POPIA, people have the right to:

• Access – ask what data you hold about them.
• Correct – ask you to fix inaccurate information.
• Object – ask you to stop using their data for marketing, for instance.
• Request deletion – in certain circumstances (right to be forgotten).

Tell them how to exercise these rights. Provide an email address or contact form.

Example: "*You have the right to request access to, correction of, or deletion of your personal information. Email your request to privacy@acmesupplies.co.za with the subject 'Data Subject Request.'*"

7. Complaints process

Who do they contact if they think you have mishandled their data? First, give your own complaint contact. Then, explain that they can escalate to the Information Regulator.

Example: "*If you believe we have breached your privacy rights, please contact our Privacy Officer at privacy@acmesupplies.co.za. You may also lodge a complaint with the Information Regulator at inforegulator.org.za.*"

8. Automated decision-making (if applicable)

If you use algorithms or automated systems to make decisions about people—for example, a credit-scoring tool—you must disclose this and explain how to object.

How to format and deliver your privacy notice

A privacy notice can be:

• A dedicated webpage on your website (best for online businesses).
• A PDF you email or provide in print.
• A pop-up or banner (for online forms).
• A link in an email signup form.

Best practice: Host a single, comprehensive privacy notice on your website, and link to it prominently in the footer and at any point where you collect data.

Plain language matters

Write for your actual customers, not a lawyer. Avoid jargon. Use short sentences. Break up text with headings. If you cannot explain it simply, simplify it.

Poor: "The responsible party shall process personal information in accordance with the lawful basis prescribed in POPIA section 6(1), with particular regard to the legitimate interests of the responsible party and data subjects."

Good: "We collect your information because it helps us run our business fairly and because you have agreed to it."

Common mistakes to avoid

• Being too vague. "We use your data to improve our service" does not tell people what you actually do.
• Burying the notice. Do not hide your privacy policy in tiny print or behind five clicks.
• Forgetting to update it. If your business processes change, update your notice.
• Assuming consent is enough. You need consent *and* a clear notice. One does not replace the other.
• Collecting data you do not need. The less data you collect, the fewer obligations you have.

Next steps

1. Audit your data flows. List every type of personal information you collect and why.
2. Draft your notice using the sections above as a template.
3. Have a lawyer review it if budget allows (compliance review is often affordable for SMEs).
4. Publish it on your website and link it from every data collection point.
5. Train your team. Make sure your staff understand what the notice says and why it matters.

Disclaimer

This guide is based on the POPIA Act and public guidance from the Information Regulator. It is not legal advice. Privacy law is context-specific, and your business may have unique requirements (for example, if you process data for other companies, or if you handle special categories of data like health or criminal history). We recommend consulting a qualified attorney familiar with South African data protection law to review your final privacy notice before publication.

---

*Khanyitas helps SA SMEs manage POPIA compliance. For templates, checklists, and automated compliance workflows, visit khanyitas.com.*