POPIA Three Years In: Where South African Businesses Are Still Exposed

POPIA has been enforceable since July 2021. Most South African businesses have done something about it — a privacy policy here, a data register there. Very few have done enough.

The Information Regulator has been relatively quiet since enforcement began, which has created a false sense of security in some organisations. Quiet does not mean inactive. The Regulator is building capacity, receiving complaints, and investigating. The enforcement actions that have happened have been significant.

Where most businesses are exposed

The most common gaps we find when doing POPIA assessments are not exotic. They are mundane. Customer data sitting in spreadsheets with no access controls. Email marketing lists with no documented consent basis. Third-party suppliers processing personal information with no data processing agreement in place. HR records retained indefinitely with no retention policy.

None of these are difficult to fix once identified. The challenge is that most businesses have never systematically looked. They passed their audit, they published their privacy policy, and they moved on.

What a practical POPIA review looks like

A practical POPIA review is not a legal audit. It is a structured look at how personal information actually flows through your business — where it comes in, where it goes, who has access, how long it is kept, and what happens when someone asks you to delete it. The output should be a short list of prioritised gaps with practical actions, not a 60-page report.

Most organisations can materially improve their POPIA posture in a few weeks of focused work. The barrier is usually not complexity — it is knowing where to start.

Hayshack provides practical POPIA compliance reviews for South African businesses. Get in touch to discuss your situation.