Even years after POPIA came into full effect, the same compliance gaps continue to surface across different industries. Many businesses believe they are POPIA compliant until a complaint, audit, or data breach proves otherwise.
Here are some of the most basic POPIA mistakes we still see:
1. Information Officers appointed “on paper only”.
The Information Officer is registered on the Information Regulators e-Services portal, but there is no real understanding of the role, no internal authority, and no ongoing oversight of compliance activities.
2. Outdated or generic privacy notices
Outdated or generic privacy notices often misrepresent actual processing activities in the company.
3. No POPIA training beyond management
POPIA compliance is treated as a legal or HR issue, while frontline employees, who handle personal information daily, receive little or no training.
4. Assuming IT equals POPIA compliance
Strong IT systems alone are not enough. POPIA also requires policies, procedures, access controls, and human behaviour management.
5. Weak access control and data minimisation
Employees often have access to personal information they do not need, increasing the risk of internal breaches and unauthorised disclosure.
6. No clear process for data subject requests
Businesses struggle to respond within reasonable timeframes because there is no documented procedure for handling requests.
7. Not reporting data breaches to the Information Regulator
Many organisations do not fully understand what constitutes a data breach under POPIA or how to report it. As a result, breaches are often ignored or being overlooked entirely.
8. Failure to review and update data processing agreements with Operators
While operators are identified, many businesses fail to put proper data processing agreements in place or to review them regularly.
9. Treating POPIA as a once-off exercise
Compliance is viewed as a project with an end date, rather than an ongoing process requiring regular review, updates, and monitoring.
POPIA compliance is about awareness, accountability, and continuous improvement. Identifying and fixing these common gaps is often the first step towards meaningful compliance.
Consumer Protection & POPI
Information Regulator gives update on POPIA & PAIA matters
The Information Regulator held a media briefing on 13 November 2025 to outline the latest developments in POPIA and PAIA enforcement, ongoing litigation, regulatory priorities. The briefing, led by Chairperson Adv Pansy Tlakula, came at a fitting moment as South Africa marks 25 years of PAIA - a reminder of the country’s long-standing commitment to transparency and accountability. 1. Major Litigation Matters DBE Matric Results Case The Regulator previously instructed the Department of Basic...
Data Processing Agreements: Your Essential Guide.
At the core of POPIA's principles lies a fundamental distinction between two essential entities: The Responsible Party and an Operator. This distinction clearly outlines each party's roles, obligations, and responsibilities in upholding data protection standards and safeguarding individuals' privacy rights. The Responsible Party (usually a public or private business) will set out the purpose of the processing activity, and the Operator (sub-contractors, agents, suppliers,...
May A Data Subject Institute A Claim For Damages Against A Responsible Party For Not Complying With POPI?
Yes, a data subject may institute a civil action for damages in a court having jurisdiction against a responsible party for any breach of any provision of the Act as referred to in Section 73 of POPI, whether or not there is intent or negligence by the responsible party. It is, therefore, a no-fault liability unless the responsible party can prove that the breach was vis major, the data subject consented to the breach, the data subject was at fault, compliance was not reasonably practicable in...
Guidelines When Using WhatsApp Groups For Business Communication Purposes.
Using WhatsApp groups for internal workplace communication and marketing purposes has become very popular. Employers should therefore keep in mind that compliance with the Protection of Personal Information Act (POPIA) must be adhered to when processing personal information on this platform. Things to keep in mind when using WhatsApp as a communication platform: Multiple devices are used for processing information, which information is also stored on each device, such as the employee’s phone...
DYK – Your Business Needs To Have A Privacy Notice?
Section 18 of the Protection of Personal Information Act 4 of 2013 (POPIA), it states that if personal information is collected, the responsible party (The Business) must take practicable steps to ensure that the data subject is aware of specific points. These include: The type of information being collected;The name and address of the business;The purpose for which the information is collected;Is the supply of information voluntary or mandatory;The consequences of failing to provide...
When Do I Not Need Consent To “Use” Or Process Personal Information In Terms Of POPIA?
Since The Protection of Personal Information Act (POPIA) came fully into force on 1 July 2020, businesses are coming to grasp the many requirements of being POPIA compliant. One question that seems to predominantly be on everyone’s mind when personal information is used is: “Did a person/business have consent to use personal information?”, or, “Where did you get consent to use my personal information?” Although important, this question seems to be the default point of reference when dealing...
Episode 150: Has your business done its personal information impact assessment?
SEESA Consumer Protection & POPI Legal Advisors Viantha Govender and Shanay Reddy discuss the duty of an Information Officer within a business to complete a Personal Information Impact Assessment to identify and minimise the data protection risks from processing personal information within the business in terms of the POPI Act. Click on the play button below to listen to our podcast! Should you require additional information regarding the Protection of Personal Information Act, please...
Are You Entitled To Return Goods If You Have A Change Of Heart?
The Consumer Protection Act allows a consumer to return goods in four instances. For example, with direct marketing or, as we refer to, the "cooling-off period", which allows a consumer to return and get a refund on the goods they purchased after a period of five (5) days. Consumers are also allowed to return goods when the purchased items have not been seen before the purchase when the purchased items do not meet the intended purpose, and lastly, for defective goods in the case of an implied...
Access to Personal Information in the Public Domain
The Protection of Personal Information Act, 4 of 2013 (The POPI Act) protects an individual’s personal information. The POPI Act also ensures that the right to privacy in terms of the Constitution is upheld. It is important to remember that processing personal information is only applicable when a responsible party processes it. Any processing for personal or household activity is excluded from the POPI Act as stated by Section 6(1)(a). With personal information in the public domain, people...