The Protection of Personal Information Act (POPIA) has been fully enforceable since July 2021, and the Information Regulator has moved from awareness campaigns to active enforcement. Fines, compliance notices, and even criminal referrals are now a reality for businesses that fail to protect personal information.
Your POPIA Compliance Checklist
1. Information Officer Registration
Every business must register an Information Officer with the Information Regulator. This is the person accountable for your organisation’s data protection compliance. For smaller businesses, this is typically the CEO or a senior director. Have you submitted your registration via the Information Regulator’s online portal?
2. Data Inventory and Mapping
You cannot protect what you don’t know you have. Document every category of personal information you collect, where it’s stored (databases, spreadsheets, cloud services, paper files), who has access to it, why you collect it (the lawful purpose), and how long you retain it.
3. Privacy Notices
Every data subject must be informed about what data you collect and why, how you process and store it, who you share it with, their rights under POPIA, and how to lodge a complaint. Your website needs a comprehensive privacy policy, and your forms need consent checkboxes with clear language.
4. Consent Management
Where consent is your lawful basis for processing, it must be voluntary, specific, and informed. Pre-ticked checkboxes don’t count. You need a system to record when consent was given, what it covers, and to honour withdrawal requests promptly.
5. Technical Security Measures
POPIA requires “appropriate, reasonable technical and organisational measures” to protect personal information. At minimum, this means encryption of data at rest and in transit, access controls and role-based permissions, endpoint protection on all devices, regular security patching and updates, network segmentation to limit breach impact, and regular vulnerability assessments.
6. Breach Response Plan
If a data breach occurs, you must notify the Information Regulator and affected data subjects “as soon as reasonably possible.” A documented incident response plan, tested regularly, is essential. Your plan should cover detection and containment procedures, assessment of breach severity, notification templates and timelines, and remediation and prevention steps.
7. Third-Party Agreements
If you share personal information with service providers (cloud hosting, payroll, marketing platforms), you need Operator Agreements that bind them to the same POPIA standards you follow. Review every vendor relationship and ensure contracts include data protection clauses.
8. Staff Training
Human error remains the leading cause of data breaches. Regular training ensures employees understand what constitutes personal information, how to handle data subject requests, how to recognise phishing and social engineering, and proper procedures for data handling and disposal.
How Toggle Now Supports POPIA Compliance
Our managed IT services include the technical foundations of POPIA compliance: encrypted backups and communications, endpoint protection and monitoring, access management and audit logging, regular vulnerability scanning, and incident response support. We also partner with specialist POPIA consultants who can handle the legal and organisational aspects of compliance.
Not sure where you stand? Request a free POPIA readiness assessment and we’ll identify the gaps in your compliance posture.