POPIA for Small Business: The Realistic Compliance Minimum

Lady Justice statue holding scales - South African law firm

By Onah Attorneys Inc • Updated July 2026 • Legal information, not a substitute for advice on your specific matter.

POPIA panic sells expensive audits; POPIA itself asks something more manageable: process personal information lawfully, secure it reasonably, and respect data subjects’ rights. Fines and enforcement are real and rising — but a small business reaches defensible compliance with a focused checklist, not a consulting season. Here it is.

What you’re accountable for

Any personal information you hold — customers, employees, suppliers, marketing lists. The conditions: process lawfully and minimally for a defined purpose, keep it accurate, don’t hoard it forever, secure it, and don’t shovel it to third parties without basis. ‘We’ve always kept everything’ is precisely the liability.

The five-document minimum

1) A privacy policy/notice that truthfully describes what you collect and why (on the website, in onboarding). 2) A PAIA/POPIA manual (mandatory, templated, published). 3) Consent/notice wording at collection points (forms, sign-ups). 4) Operator agreements with anyone processing data for you (payroll bureau, IT host, marketing agency) obliging security and confidentiality. 5) A one-page breach response plan (who assesses, who notifies the Regulator and subjects, when). Registered Information Officer at the Regulator’s portal completes the base.

Direct marketing rules — the tripwire

Electronic marketing (email/SMS) to NEW prospects requires opt-in consent — one shot to ask; existing customers may be marketed similar products with opt-out until they object. Every message needs an unsubscribe that works. Bought lists and scraped contacts are the classic SME violation, and the complaints that reach the Regulator start exactly there.

Security ‘appropriate’ to you

Reasonable measures scaled to your risk: access controls and passwords/MFA, laptop encryption, patched systems, locked cabinets for paper, staff briefed not to email spreadsheets of clients home, and vetted cloud providers. Perfection isn’t demanded; negligence is punished — a stolen unencrypted laptop with your client base is the fact pattern behind SA’s enforcement actions.

Breach and enforcement reality

Compromise notification: the Regulator and affected subjects, as soon as reasonably possible. Enforcement so far: notices and fines against serious/negligent handlers (the credit-bureau and courier cases set the tone); maximum penalties reach R10m and criminal exposure for obstruction. The defensible position isn’t ‘nothing can ever leak’ — it’s the paper trail showing you took the conditions seriously before the leak.

Frequently asked questions

Does POPIA apply to my 5-person business?

Yes — size is no exemption. The measures scale with size; the obligations don’t disappear.

Do I need a consultant or can I do this internally?

Most SMEs reach the minimum internally with proper templates and a legal review of the customer-facing pieces. Complex data businesses (health, credit, kids’ data) need more.

Can I email my existing customers about promotions?

Yes — existing customers, own similar products, with opt-out honoured. New prospects need prior consent. Never bought lists.

What must I do the day we’re hacked?

Contain, assess what was accessed, notify the Information Regulator and affected people without undue delay, record everything. The pre-written one-pager makes a panic into a process.

Speak to an Attorney Today

Get straight answers about POPIA compliance from a firm that fights to win. First consultation — no obligation, full confidentiality.

Call 011 042 8039 Request a Callback

Get help with this

⚖️ Request a Free ConsultationBook a ConsultationSpeak to an AttorneyFree Case Assessment
☎ Call NowFree Case Assessment