Does POPIA apply to my one-person business?

Yes. POPIA applies to any responsible party that processes personal information in South Africa, regardless of size. The duties scale with the scope of processing but they apply from the first customer.

What is the penalty for non-compliance?

Administrative fines of up to R10 million, civil liability to data subjects, and criminal liability for the responsible party in certain cases. The Information Regulator can also order specific remedial steps.

Do I need to register as an Information Officer?

Yes. POPIA requires every private body to designate an Information Officer and register them with the Information Regulator. By default this is the head of the private body unless someone else is formally designated.

POPIA essentials: what every South African small business must do

If you run a small business in South Africa and you collect any personal information from anyone - a customer's email address, an employee's ID number, a supplier's banking details - POPIA applies to you. The Protection of Personal Information Act came into force on 1 July 2020 and has been fully enforceable since 1 July 2021. The Information Regulator has been issuing enforcement notices since 2022.

This article walks through the concrete steps you need to take. None of them are exotic. Most can be done in a week.

1. Appoint your Information Officer

POPIA requires every responsible party to have an Information Officer. By default this is the head of the business unless someone else is formally designated. You must register your Information Officer with the Information Regulator. There is no fee.

What the Information Officer is on the hook for:

Encouraging compliance with POPIA inside the business
Dealing with requests from data subjects (DSARs)
Working with the Information Regulator if there's a complaint or breach
Ensuring staff understand their POPIA duties

2. Know what personal information you process

POPIA section 17 requires you to keep a record of processing activities. This is the foundation everything else builds on. For every category of personal information you handle, document:

Whose data it is (customers, employees, suppliers, prospects)
What information you collect (contact, identity, financial, health)
Why you process it (the purpose)
The POPIA section 11 lawful basis for that processing
Who else sees it (operators, third parties)
Whether it leaves South Africa
How long you keep it
How you protect it

If you cannot answer those questions for every personal-information flow in your business, you have a section 17 problem.

3. Publish a privacy notice

POPIA section 18 requires you to tell data subjects, when you collect their personal information, what you are going to do with it. The Information Regulator's published guidance specifies what must appear in the notice. The notice must be plain-language - not legalese.

Your privacy notice should be published somewhere data subjects can find it, typically your website. If you collect personal information in person or by phone, you also need a short script that points people to the notice.

4. Lock down security

POPIA section 19 requires reasonable security safeguards. Reasonable is judged against the sensitivity of the information and the state-of-the-art at the time. Practical minimums:

Strong passwords on every account that touches personal information
Multi-factor authentication on email and admin accounts
Encryption in transit (HTTPS everywhere)
Encrypted backups
Role-based access controls (people see only what they need)
A documented procedure for what to do when a laptop is lost or stolen, or someone leaves

5. Have a breach plan ready

POPIA section 22 requires you to notify the Information Regulator and affected data subjects when personal information has been accessed by an unauthorised person. The Regulator's guidance interprets the statutory deadline as 72 hours from detection.

Three hours after you discover a breach is the wrong time to start writing your incident-response plan. Have it ready now. Khanyitas pre-populates the Regulator template and the data-subject notice the moment you declare an incident.

6. Train your staff

Most personal-information mishaps come from staff who didn't know what was expected of them. POPIA expects the Information Officer to ensure staff understand their duties. A one-page primer plus a sign-off log is a defensible minimum for a small business; revisit every twelve months.

7. Respect data subject requests

POPIA gives data subjects the right to ask what you hold about them (section 23), to correct or delete it (section 24), and to object to processing (section 11(3)). The Information Regulator interprets the response time as 30 days. You also have to verify the requester's identity before disclosing anything - someone phoning to ask for another customer's records is a classic social-engineering attempt.

Where to start

If you have not started yet, start with the data register (step 2). Everything else - the privacy notice, the breach plan, the response to any future DSAR - reads from it. Khanyitas builds the register with you in a five-step wizard and uses it to draft the rest.

If POPIA still feels overwhelming after that, work with a qualified attorney. Compliance is a real obligation, but it is not designed to destroy small businesses - the Information Regulator's guidance is explicit that proportionate, good-faith effort is what's expected.