Feb 27, 2021

FAQ – What is the purpose of Enterprise and Supplier Development?

It is important to ensure that you have your Enterprise & Supplier Development in place for your Broad-Based Black Economic Empowerment (B-BEE) verification. 

Under the Codes of Good Practice generic scorecard, you are able to obtain 5 points under Enterprise Development and 10 points under Supplier Development. This is 15 points that can be guaranteed if you comply with the requirements. 

The first requirement is that the Enterprise, as well as the Supplier Development Beneficiary, must be an Exempt Micro Enterprise (EME) or Qualifying Small Enterprise (QSE) with at least 51% Black Ownership. The Black Ownership should also be held by a person/s who are black as defined by the B-BBEE Codes of Good Practice. Please note that you cannot use the same beneficiary for both these elements. It needs to be separate entities.

Secondly, you need to spend the set targets on the beneficiaries within the financial year.  The targets are as follow (for the generic Codes of Good Practice):

  1. 2% of Net Profit After tax for Supplier Development
  2. 1% of Net Profit After tax for Enterprise Development

Thirdly, with Supplier Development you need to ensure that you procure from the Supplier Development Beneficiary in the financial year. 

However, keep in mind what the purpose is for Enterprise and Supplier Development – it is not just to obtain B-BBEE points, but also to assist entities to truly develop as sustainable businesses and contribute to the economy of South Africa as an operating business.

This is why SEESA clients are recommended to make use of Incuvest. They are an Enterprise & Supplier Development Incubator who ensure that the contributions made towards these 2 elements are spent in such a manner that it develops all the beneficiaries in their program. It also takes away the administrative side of these elements, as Incuvest already have all the required documentation and the beneficiaries comply with all the set requirements.

Please contact your legal advisor should you have any enquiries regarding these 2 elements or Incuvest and how the program works.

About the author:

Geralene van Wyk obtained her BA (Psychology) and LLB degrees from the North-West University. After her studies, she completed her articles in Pretoria and was admitted as a practicing attorney in 2006 and a conveyancer in 2007. She joined SEESA BEE in 2011 as a legal advisor and is currently a SEESA BEE National Training Senior Legal Advisor at the Pretoria Head Office.

POPIA compliance in 2026: the basics every business still gets wrong

Even years after POPIA came into full effect, the same compliance gaps continue to surface across different industries. Many businesses believe they are POPIA compliant until a complaint, audit, or data breach proves otherwise.

Here are some of the most basic POPIA mistakes we still see:

  1. Information Officers appointed “on paper only”.
    The Information Officer is registered on the Information Regulators e-Services portal, but there is no real understanding of the role, no internal authority, and no ongoing oversight of compliance activities.
  2. Outdated or generic privacy notices
    Outdated or generic privacy notices often misrepresent actual processing activities in the company.
  3. No POPIA training beyond management
    POPIA compliance is treated as a legal or HR issue, while frontline employees, who handle personal information daily, receive little or no training.
  4. Assuming IT equals POPIA compliance
    Strong IT systems alone are not enough. POPIA also requires policies, procedures, access controls, and human behaviour management.
  5. Weak access control and data minimisation
    Employees often have access to personal information they do not need, increasing the risk of internal breaches and unauthorised disclosure.
  6. No clear process for data subject requests
    Businesses struggle to respond within reasonable timeframes because there is no documented procedure for handling requests.
  7. Not reporting data breaches to the Information Regulator
    Many organisations do not fully understand what constitutes a data breach under POPIA or how to report it. As a result, breaches are often ignored or being overlooked entirely.
  8. Failure to review and update data processing agreements with Operators
    While operators are identified, many businesses fail to put proper data processing agreements in place or to review them regularly.
  9. Treating POPIA as a once-off exercise
    Compliance is viewed as a project with an end date, rather than an ongoing process requiring regular review, updates, and monitoring.

POPIA compliance is about awareness, accountability, and continuous improvement. Identifying and fixing these common gaps is often the first step towards meaningful compliance.

 

 

Speak to a SEESA Expert Today

Recent Posts

    Categories