POPIA Hub

POPIA, demystified.

We read the Act so you don't have to. Below: plain-language guides, the questions everyone asks, and resources we'll happily email you a copy of.

POPIA, the short version

Six things every SA business should know.

The rest of the page goes deeper. This is the gist.

  1. i.

    POPIA is the Protection of Personal Information Act. It governs how South African organisations collect, store, use, and share personal information. In full force since 1 July 2021.

  2. ii.

    It applies to every organisation processing personal information in SA. No size exemptions, no sector exemptions. If you have employees or customers, you're in.

  3. iii.

    Maximum penalty: R10 million, or ten years inside. The Information Regulator actively investigates complaints and data breaches. They're not bluffing.

  4. iv.

    The Act is built on eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.

  5. v.

    If you have a breach, notify the Information Regulator and affected people as soon as reasonably possible. Best practice (and our standard): within 72 hours.

  6. vi.

    Every organisation must appoint an Information Officer and register them with the Regulator. Not appointing one is, in itself, a violation. The default is the CEO. We can help.

Request a copy

Practical tools for your business.

Ready-to-use resources built for South African businesses. Tell us which one and we'll email it across.

POPIA Compliance Checklist
Email me a copy →
Records Retention Guide for SA
Email me a copy →
How to Appoint an Information Officer
Email me a copy →
Data Breach Response Template
Email me a copy →
FAQs

Common POPIA questions, answered.

Does POPIA apply to my small business?+
Yes. POPIA applies to every person or organisation that processes personal information in South Africa, regardless of size. There is no small business exemption.
What counts as personal information under POPIA?+
Personal information is any information that identifies or can identify a living person: names, ID numbers, email addresses, phone numbers, location data, financial information, health records, and more.
Do I need to appoint an Information Officer?+
Yes. Every organisation must appoint an Information Officer and register them with the Information Regulator. In smaller organisations, this is typically the CEO or owner by default.
How long do I have to report a data breach?+
While no specific timeframe is legislated, POPIA requires notification as soon as reasonably possible. Best practice (and the standard Arcivo works to) is within 72 hours.
Can Arcivo help us become POPIA compliant?+
Absolutely. Our Information Governance services include POPIA gap assessments, information audits, retention scheduling, and an ongoing managed compliance service. Book a free assessment to find out where you stand.

Reading is one thing. Knowing where you stand is another.

Book a thirty-minute readiness call. It's free, and we'll tell you exactly where you sit on POPIA.