The deadline was 1 July 2021, but it’s not too late …

Data protection is not a once-off effort, but a continued undertaking to protect the accuracy, security and confidentiality of personal information. “Privacy by design” implies that data protection is not a stand-alone business practice, but a practice that essentially pervades all aspects of your business operations.

As a minimum, you may start with these steps to become POPIA compliant:


  1. Register your Information Officer at
  2. Conduct a detailed personal information impact assessment: how are you currently processing personal information (who, what, how, where?), what are the risks?
  3. In reply to the personal information and the risks you have identified in your impact assessment, develop a compliance framework: an internal document that will be the point of reference for the Information Officer, staff and (if requested) the Information Regulator to implement, monitor and verify your POPIA compliance
  4. What is your legal basis for processing personal information? Is it based on (documented!) consent or necessary to protect your, a data subject’s or a third party’s legitimate interest? Is it imposed by law or by a contractual obligation?
  5. Compile a (“Section 51”) POPIA/PAIA manual and make it publicly available (eg. via your website) You’ll find the latest template for “private bodies” here.
  6. Establish internal procedures to process requests for access, objection, amendment or deletion of personal information from data subjects or the Information Regulator
  7. Educate your staff on how to lawfully process personal information of employees, clients, customers, suppliers, guests, etc.


Keep an eye out for “codes of conduct” for your business sector. POPIA invites organisations that “sufficiently represent any class of bodies, or any industry, profession, or vocation” to draw up their own, more specific conditions for processing personal information.
POPIA The Protection Of Personal Information Act