POPIA has been in effect since July 2021. That’s three years of a lot of small business owners knowing they’re supposed to comply — and not being entirely sure what that means for a two-person operation that collects client names, email addresses, and the occasional ID number.
If that’s you, this is for you.
Let’s cut through the noise.
First, a reframe that changes everything
Most founders approach POPIA like a punishment waiting to happen — a compliance checklist designed to trip them up. That framing makes it feel heavy and avoidable.
Here’s a more useful way to think about it: POPIA is a trust law.
Its core purpose is to make sure that when someone hands you their personal information, they can trust you to handle it responsibly. That’s it. The compliance requirements are just the legal structure around that idea.
When you approach POPIA through the lens of trust — would my clients be comfortable knowing how I’m using their data? — most of the compliance picture becomes intuitive rather than intimidating.
What counts as “personal information”?
More than most founders realise. Personal information under POPIA includes:
- Name and contact details (email address, phone number, physical address)
- ID number and financial information
- Location data
- Race, gender, age, and other demographic identifiers
- Employment history and qualifications
- Opinions and views (including things people share in surveys or reviews)
- Even CCTV footage if it captures identifiable individuals
If it can identify a specific person — directly or in combination with other data — it’s personal information.
Who needs to comply?
Every business that processes personal information. That includes collecting it, storing it, using it, sharing it, or deleting it.
If you have a client email list, you’re processing personal information. If you use a CRM, you’re processing personal information. If you keep a spreadsheet of leads, same story.
There is no threshold. A sole trader with ten clients needs to comply just as much as a company with ten thousand.
The Information Officer: what this actually looks like for a small business
POPIA requires every organisation to designate an Information Officer. For a solo founder or a small team, this sounds more intimidating than it is.
If you’re a sole trader or the only person making decisions in your business, you are the Information Officer by default. You don’t need to appoint someone new. You don’t need to hire a specialist.
You do need to register your Information Officer with the Information Regulator. This is an online process through the Regulator’s portal. It’s a once-off step, not an ongoing obligation.
For a five-person SME, the Information Officer is whoever is responsible for overseeing how the business handles personal data — typically a director or the owner. Again, no specialist required at this stage.
Consent: what it actually looks like
POPIA requires that people know why you’re collecting their information and agree to it. Proper consent means:
- It’s specific (they’re agreeing to this use, not a vague catch-all)
- It’s informed (they understand what they’re agreeing to)
- It’s freely given (no pressure, no buried tick-boxes)
- It can be withdrawn
In practice, this looks like a clear opt-in on your contact form that says something like: “I agree to receive communications from [Business Name] about [specific topic]. I can unsubscribe at any time.”
It does not mean a pre-ticked checkbox. It does not mean a consent clause buried in size-8 font at the bottom of a page.
Your privacy policy: what it needs to say and where it lives
Every business website needs a privacy policy. This doesn’t need to be a 20-page legal document. It needs to explain, in plain language:
- What personal information you collect
- Why you collect it
- How you use it and store it
- Whether you share it with third parties (and if so, who)
- How long you keep it
- How someone can request access to, or deletion of, their information
Where does it live? On your website — accessible from every page, typically in the footer. If you collect information through a form, there should be a link to the policy right there at the point of collection.
Data breaches: what you must do
If personal information in your care is compromised — whether through a hack, a lost device, or an accidental disclosure — POPIA requires you to act quickly.
You must notify the Information Regulator and, where relevant, the affected individuals. The notification needs to happen as soon as reasonably possible after you become aware of the breach.
Having a basic response plan in place before something happens makes this less chaotic. Know who you’d contact, what you’d say, and where your data is stored.
What most small businesses get wrong
Three common mistakes worth calling out:
Old email lists without proper consent. If you built a mailing list before POPIA came into effect and never got clear consent, those contacts are technically non-compliant. The fix isn’t complicated — a re-consent email that lets people opt in (or opt out) puts you in the clear.
Marketing emails without an unsubscribe option. Every marketing email you send needs a clear, working unsubscribe link. Every single one. No exceptions.
No privacy policy on the website. This is still the most common gap. It doesn’t need to be fancy. It needs to exist, be accurate, and be accessible.
What you don’t need to do
POPIA compliance at small-business scale does not require:
- A dedicated compliance officer or a full-time data privacy role
- Enterprise-level software or data management systems
- A law firm on retainer
- A lengthy, complex internal audit process
For most small SA businesses, compliance comes down to a few clearly defined steps: understand what data you hold, get proper consent, have a privacy policy, secure your data sensibly, and know what to do if something goes wrong.
The simplest frame for staying compliant
Treat personal data the way you’d want yours treated.
Would you want a business to email you without asking? To share your contact details without telling you? To keep your information indefinitely with no clear reason?
If the answer is no, you already understand the spirit of the law. Compliance is the process of making sure your systems and documents reflect that.
Where the Toolkits Come In
POPIA applies to every business that processes personal information — that includes solo founders with a client email list and SMEs managing employee records. The compliance steps are the same regardless of your stage.
If you want to move from understanding POPIA to actually implementing it:
The Start-Ups Toolkit (R1,495) covers the POPIA essentials every new business needs: what personal information you’re collecting, how to handle consent, and the privacy policy your website must have — all in plain language with practical workbooks.
The SME Toolkit (R2,495) goes deeper for businesses with employees — covering data handling for staff records, a full POPIA compliance framework, a privacy policy template, and the governance structures that support ongoing compliance as you grow.
Build your business on a solid legal foundation — without the six-month delay or R85,000+ cost.