POPIA Compliance Policy

POPIA has been fully in force since 1 July 2021. The Information Regulator has enforcement powers including administrative fines of up to R10 million and criminal liability for responsible parties and their officers. Yet most South African businesses even those handling sensitive employee data, client records, and credit information  are operating without a documented POPIA compliance policy.

This POPIA Compliance Policy covers all eight conditions for lawful processing under section 4: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Each condition is translated into operational obligations and internal procedures.

The policy appoints the Information Officer role (mandatory under POPIA) and documents registration obligations with the Information Regulator, third-party operator due diligence and written agreements (section 20–21), data subject rights procedures (access, correction, objection, and deletion requests), retention and destruction schedules, and the section 22 breach notification obligation including the 72-hour internal escalation and mandatory Regulator notification requirements.

Special personal information (section 26) including health, biometric, religious, and political data  receives a dedicated chapter with heightened processing restrictions. Cross-border data transfer rules (section 72) are addressed for businesses with regional or international operations.

SADC angle: includes a cross-border transfer table mapping South Africa's adequacy requirements against Botswana, Mauritius, and Kenya's data protection regimes.