POPIA is the piece of legislation most small business owners in South Africa know they should understand — but haven't quite got around to. If that's you, this guide will get you compliant in a weekend.
What POPIA is (in one sentence)
POPIA is South Africa's data protection law. It governs how you collect, store, use, and share any personal information about your customers.
The essentials every small business needs
1. A published Privacy Policy on your website
This isn't optional. Your Privacy Policy must clearly explain what data you collect, why you collect it, how you store it, who you share it with, and how customers can request or delete their data.
2. Explicit consent for marketing
You can't just add someone to your mailing list because they bought from you. They need to actively opt in.
3. Secure storage of personal data
You're legally responsible for keeping customer data safe.
4. A process for data requests
Customers have the right to ask what data you hold about them, correct it, or have it deleted.
5. Report data breaches
If your customer data gets leaked, hacked, or accidentally exposed, you're legally required to report it.
What non-compliance actually costs
Fines under POPIA can reach R10 million or up to 10 years' imprisonment for serious breaches.
POPIA compliance isn't a legal chore — it's a trust signal. Businesses that get it right build stronger client relationships.
If you're unsure whether your business is compliant, an Elevate consultation includes a POPIA audit as part of our onboarding process.