Wanna stay in the Regulator’s good books? We swear by these ten steps.


Suffering a data breach is the fastest way to catch the eye of the Information Regulator. The enforcement notices were flying in the last year, and most of them were for embarrassingly public breaches. Think Dis-Chem, Trans Union and even SAPS. The Regulator also issued an infringement notice and a R5-million administrative fine to the Department of Justice and Constitutional Development. Ouch!

One thing all these fluff ups have in common is that the ‘responsible party’ – that’s you – didn’t have a plan in place for what to do in case of a breach, or if they did, it wasn’t followed.

That’s why our first step for #winning POPIA compliance is to make sure that everyone knows what a breach is, what to do if a breach occurs and where to report it.

  • Your information security incident response procedure should explain how and when you must notify the Regulator of an incident. The Regulator expects responsible parties to report incidents within 72 hours.
  • Bonus points if you remember to also notify the affected ‘data subjects’—they are the victims after all.

“You can delay, if you are reporting the matter to the police and restoring integrity of IT systems, but beyond 72 hours we are beginning to look at you not nicely.”

(No kidding, the Information Regulator actually said that.)


If you want to avoid getting an enforcement notice of your own, make sure you assess information security risks, establish appropriate safeguards against those risks and regularly check that the safeguards are being implemented. If you want to #win at information security management, make sure you:

  • implement two-factor or multi-factor authentication
  • ensure effective access control
  • have contracts with operators
  • renew antivirus, monitoring and security software licenses


The POPIA Regulations require you to have a POPIA compliance framework. That’s just a fancy name for policies, procedures and templates.

These are the ones we recommend:

  • A data privacy policy
  • An Information Security Management Policy
  • A records management policy

Need help to make a set of your own? Get in touch with us.


Ensure that you do a personal information impact assessment (PIIA). This is when you assess, analyse and evaluate the risks that apply to your processing activities. In short, it’s up to you to check that you’re following your POPIA compliance framework. If you’re not, it’s important to assess what level of risk that creates and have a plan for mitigating that risk.

“Companies need to find the resources for privacy. Saying ‘I don’t have the resources to care about privacy,’ isn’t really a valid excuse. Even small businesses need to make sure their data is secure and not left open to hacks. It’s just a part of doing business responsibly these days.”

Eva Ascarza – Harvard Business School Associate Professor of Administration


The easiest way to prove you’re taking your POPIA compliance seriously is to publish your privacy notice (sometimes called a privacy policy) and PAIA manual.

  • Top tip: follow the Regulator’s PAIA manual template. Grin and bear the nonsensical headings and structure, they want you to follow it word-for-word. Publish it on your website and have a printed copy available at reception. All organisations must have a PAIA manual, there are no more exemptions for smaller businesses.
  • There is no template for privacy notices, but section 18 of POPIA gives you a handy list of things you need to cover. We recommend that you skip the Latin and legalese and rather draft your notice in plain, clear English. We explain why here.


POPIA says that you may only collect personal information directly from the data subject, unless one of the exceptions in section 12 applies. In other words, you must be able to identify the sources of personal information and show that you had a legitimate reason for having that information.

This becomes tricky if you for instance, bought a lead list from a data broker or compiled a database by scraping LinkedIn. How would you prove that one of the direct collection exceptions applied: that you notified the data subject at collection (see #4), and that you had a legal justification for collecting that information?


Too many organisations write policies that they never implement. The policies are there, in a folder somewhere, but no one follows them. If your board has approved a Data Privacy Policy but no one is complying with it looks a lot like: “we knew what we were supposed to do, but we couldn’t be bothered”.

So how do you implement a policy or a procedure? By training of course. And no, emailing a document to all staff does not equate to implementation.

  • It’s important to keep a record of the training you have done so far and what you plan to do in the future.
  • Training is not a once off and should be repeated at least once a year.
  • There must be clear consequences for employees who mess up. This might include a disciplinary hearing, or they may be required to repeat the training.


You may need to get consent from a data subject if you’re collecting the personal information of children, doing new, unexpected things with personal information collected for unrelated purposes; and for direct marketing. Check yourself, before you wreck yourself.

Before you start sending people direct marketing by email or SMS, and before you cold call them, you probably also need their consent. You must ask for their consent the first time you contact them. If they don’t respond or say ‘no’, you cannot market to them again. If they respond ‘yes’, you can continue to market to them until they opt out.

A consent hidden in Ts&Cs or in a privacy notice (or policy) is not a valid POPIA consent. Likewise, a paragraph in a written contract where ‘consent for the use of my personal information’ is provided, is not a valid POPIA consent.

To rely on consent for using personal information, the consent must be:

  • voluntary (i.e., a person must be allowed to accept Ts&Cs while saying ‘no’ to direct marketing)
  • specific (i.e., consent for a specific activity, not for processing personal information for any reason)
  • informed (i.e., you must provide enough information to allow the person to make a real decision to say ‘yes’)
  • positive action (i.e., the person must give a positive response, such as replying ‘yes’ to an SMS).

 The fact that consent must be ‘voluntary’ means that a consent can always be withdrawn for any reason. This means that if you want to rely on consent to do a thing, you must be geared to allow people to change their answer to ‘no’ and to stop your activity when they do.

Why employment contracts shouldn’t include POPIA consent clauses: prospective employees can’t say ‘no’ if they want to get the job. Also, it’s not necessary to get your employees’ consent to process their personal information because you can mostly rely on one of the other legal justifications provided by section 11. Need convincing? Check out why PWC got fined EUR150,000.


Your data subjects can send you access and deletion requests, here’s how to respond:

  • An access request happens when a person asks if you have their personal information, for a record or description of the information, and who you have shared the information with. You can deny a data subject access request if any of the grounds in Chapter 2 Part 2 (for public bodies) or Chapter 4 of Part 3 (for private bodies) of PAIA applies.
  • A data subject can ask you to delete their personal information using this form. Data subjects don’t have an absolute right to have their personal information deleted. You can refuse such a request if the processing of personal information is necessary to exercise the right of freedom of expression and information; to comply with a legal or contractual obligation; for lawful purposes related to your functions or activities; for archiving purposes in the public interest; for scientific, statistical, or historical research purposes; or to establish, exercise, or defend legal rights and claims.

Know your POPIA request from your PAIA request

Distinguishing a POPIA access request from a PAIA access request can be tricky. To make matters worse, the requester must use the same prescribed form when submitting a request. This is how you should respond to the different types of access requests:

Who is sending the request? Why are they sending the request? Principles to apply or processes to follow
An employee, client, third party or any other data subject who believes that you are the responsible party. The data subject is sending requests about their own personal information. Follow section 23 of POPIA.
Any other person or organisation. To access information about your organisation. Follow the process in your PAIA manual.


Information Officers and Deputy Information Officers must register on the Regulator’s new eServices portal. If you’ve already registered, you’ll need to  migrate your user profile to the new portal.


Don’t ignore the Regulator. Easy, isn’t it?

Please Share!