POPIA Compliance Checklist: What Every SA Small Business Needs

The Protection of Personal Information Act (POPIA) has been fully enforceable since July 2021. Yet most South African small businesses are still not fully compliant. The Information Regulator is active, complaints are being investigated, and fines of up to R10 million are possible.

Here's your practical checklist to get your business in order.

The Basics: What POPIA Requires

POPIA requires that any business processing personal information must:

• Have a lawful reason for collecting and processing data
• Only collect data that's necessary for a specific purpose
• Keep data accurate and up to date
• Store data securely with appropriate safeguards
• Delete data when it's no longer needed
• Allow individuals to access, correct, or delete their data

Your IT Compliance Checklist

Data Inventory

• Identify all personal data your business collects (client info, employee records, supplier details)
• Document where this data is stored (servers, cloud, email, spreadsheets)
• Map data flows — who has access, where it's shared, how it's backed up

Access Controls

• Implement role-based access — staff only access data they need for their job
• Enable multi-factor authentication on all business accounts
• Remove access immediately when staff leave (automated offboarding)
• Review access permissions quarterly

Data Protection

• Encrypt sensitive data at rest and in transit
• Implement endpoint protection on all devices
• Deploy email filtering to prevent phishing and data leaks
• Ensure backups are encrypted and stored securely offsite

Breach Response

• Document an incident response procedure
• Know your obligation: notify the Information Regulator within 72 hours of a breach
• Test your incident response plan annually
• Train staff on recognising and reporting potential breaches

Consent and Rights

• Update your privacy policy to be POPIA-compliant
• Obtain explicit consent where required before collecting data
• Have a process for handling data subject access requests
• Implement data retention policies — don't keep data you no longer need

Staff Training

• Train all staff on POPIA basics and their responsibilities
• Conduct regular security awareness training
• Run simulated phishing exercises

Where an MSP Fits In

Most small businesses don't have the in-house expertise to handle the technical side of POPIA compliance. A managed service provider handles:

• Access controls and MFA setup across your entire Microsoft 365 tenant
• Endpoint protection that detects and contains threats
• Email security that prevents phishing attacks
• Backup and encryption for all your business data
• Automated onboarding/offboarding so access is managed properly
• Documentation of your IT security measures for audit purposes

How MiBOT Helps with POPIA

MiBOT Support's ISO 27001 certification means our processes already align with POPIA's requirements. We help our clients with:

• Technical safeguard implementation
• Security documentation for audit readiness
• Incident response planning and testing
• Regular security awareness training for staff

Don't wait for a complaint to force compliance. Talk to us about getting your IT POPIA-ready.