POPIA has been in effect since July 2021. That’s three years of a lot of small business owners knowing they’re supposed to comply — and not being entirely sure what that means for a two-person operation that collects client names, email addresses, and the occasional ID number.

If that’s you, this is for you.

Let’s cut through the noise.

First, a reframe that changes everything

Most founders approach POPIA like a punishment waiting to happen — a compliance checklist designed to trip them up. That framing makes it feel heavy and avoidable.

Here’s a more useful way to think about it: POPIA is a trust law.

Its core purpose is to make sure that when someone hands you their personal information, they can trust you to handle it responsibly. That’s it. The compliance requirements are just the legal structure around that idea.

When you approach POPIA through the lens of trust — would my clients be comfortable knowing how I’m using their data? — most of the compliance picture becomes intuitive rather than intimidating.

What counts as “personal information”?

More than most founders realise. Personal information under POPIA includes:

If it can identify a specific person — directly or in combination with other data — it’s personal information.

Who needs to comply?

Every business that processes personal information. That includes collecting it, storing it, using it, sharing it, or deleting it.

If you have a client email list, you’re processing personal information. If you use a CRM, you’re processing personal information. If you keep a spreadsheet of leads, same story.

There is no threshold. A sole trader with ten clients needs to comply just as much as a company with ten thousand.

The Information Officer: what this actually looks like for a small business

POPIA requires every organisation to designate an Information Officer. For a solo founder or a small team, this sounds more intimidating than it is.

If you’re a sole trader or the only person making decisions in your business, you are the Information Officer by default. You don’t need to appoint someone new. You don’t need to hire a specialist.

You do need to register your Information Officer with the Information Regulator. This is an online process through the Regulator’s portal. It’s a once-off step, not an ongoing obligation.

For a five-person SME, the Information Officer is whoever is responsible for overseeing how the business handles personal data — typically a director or the owner. Again, no specialist required at this stage.

Consent: what it actually looks like

POPIA requires that people know why you’re collecting their information and agree to it. Proper consent means:

In practice, this looks like a clear opt-in on your contact form that says something like: “I agree to receive communications from [Business Name] about [specific topic]. I can unsubscribe at any time.”

It does not mean a pre-ticked checkbox. It does not mean a consent clause buried in size-8 font at the bottom of a page.

Your privacy policy: what it needs to say and where it lives

Every business website needs a privacy policy. This doesn’t need to be a 20-page legal document. It needs to explain, in plain language:

Where does it live? On your website — accessible from every page, typically in the footer. If you collect information through a form, there should be a link to the policy right there at the point of collection.

Data breaches: what you must do

If personal information in your care is compromised — whether through a hack, a lost device, or an accidental disclosure — POPIA requires you to act quickly.

You must notify the Information Regulator and, where relevant, the affected individuals. The notification needs to happen as soon as reasonably possible after you become aware of the breach.

Having a basic response plan in place before something happens makes this less chaotic. Know who you’d contact, what you’d say, and where your data is stored.

What most small businesses get wrong

Three common mistakes worth calling out:

Old email lists without proper consent. If you built a mailing list before POPIA came into effect and never got clear consent, those contacts are technically non-compliant. The fix isn’t complicated — a re-consent email that lets people opt in (or opt out) puts you in the clear.

Marketing emails without an unsubscribe option. Every marketing email you send needs a clear, working unsubscribe link. Every single one. No exceptions.

No privacy policy on the website. This is still the most common gap. It doesn’t need to be fancy. It needs to exist, be accurate, and be accessible.

 

What you don’t need to do

POPIA compliance at small-business scale does not require:

For most small SA businesses, compliance comes down to a few clearly defined steps: understand what data you hold, get proper consent, have a privacy policy, secure your data sensibly, and know what to do if something goes wrong.

The simplest frame for staying compliant

Treat personal data the way you’d want yours treated.

Would you want a business to email you without asking? To share your contact details without telling you? To keep your information indefinitely with no clear reason?

If the answer is no, you already understand the spirit of the law. Compliance is the process of making sure your systems and documents reflect that.

Where the Toolkits Come In

POPIA applies to every business that processes personal information — that includes solo founders with a client email list and SMEs managing employee records. The compliance steps are the same regardless of your stage.

If you want to move from understanding POPIA to actually implementing it:

The Start-Ups Toolkit (R1,495) covers the POPIA essentials every new business needs: what personal information you’re collecting, how to handle consent, and the privacy policy your website must have — all in plain language with practical workbooks.

The SME Toolkit (R2,495) goes deeper for businesses with employees — covering data handling for staff records, a full POPIA compliance framework, a privacy policy template, and the governance structures that support ongoing compliance as you grow.

Build your business on a solid legal foundation — without the six-month delay or R85,000+ cost.

Explore the Legal Toolkits →

PocketAdvisor
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.