The Information Regulator is actively enforcing. If your organisation hasn't completed a POPIA gap analysis, this is your starting point—a no-nonsense checklist covering the most common gaps we find.
POPIA enforcement is no longer theoretical. The Information Regulator has issued fines, compliance notices, and public warnings — and South African businesses across sectors are feeling the pressure to demonstrate accountability.
After dozens of gap analyses, we've distilled the most common failure points into a checklist any compliance officer or CTO can work through in an afternoon.
The essentials
Appoint an Information Officer and register them with the Regulator. Publish a privacy policy that names your lawful bases, retention periods, and data subject rights. Maintain a processing activities record (ROPA) — even a spreadsheet is better than nothing.
Implement consent mechanisms where required, and ensure marketing databases have provable opt-in trails. Review third-party processors: your contracts must include POPIA-aligned clauses and breach notification timelines.
Technical controls that matter
Encryption at rest and in transit for personal information. Role-based access control with periodic reviews. Logging and monitoring for systems that store personal data. A tested incident response plan with Regulator notification procedures.
Staff training isn't optional — it's a condition of accountability. Annual refreshers with scenario-based exercises dramatically reduce the human-error incidents we see in breach reports.
Written by Khwezi Flatela
Khemo IT Solutions