POPIA Is Not a Once-Off Exercise
POPIA compliance for most South African businesses went something like this: someone raised the issue, a consultant was brought in or a policy was drafted internally, an Information Officer was appointed and registered with the Regulator, and the project was declared complete.
That was then. The problem is that compliance is not a project with an end date. It is an ongoing state that your organisation either maintains or drifts away from.
What changes after the initial implementation
When a new employee joins, they are going to handle personal information from day one. Are they trained on what POPIA requires? When a new supplier is appointed — a payroll provider, a marketing platform, a cloud storage service — are you entering into a data processing agreement before they touch any personal data? When a customer asks to see the information you hold about them, does your team know what the process is and can they deliver within the required timeframe?
Most organisations answered these questions correctly in their initial implementation. Most of them have not kept the answers current as the business changed around them.
The Information Regulator is watching
The Regulator was quiet in the first two years after enforcement began. That period is over. Complaints are being received, investigations are underway, and enforcement actions are happening. The fines under POPIA are significant — up to R10 million or up to ten years imprisonment for serious offences — but the more immediate cost for most businesses is reputational. A data breach that triggers a Regulator investigation is a public event.
The organisations that will weather this environment well are not the ones with the most sophisticated compliance programs. They are the ones that have actually embedded the principles into how they operate day to day, rather than having them live in a document that nobody reads.
The three areas that drift fastest
The first is third-party vendor agreements. Your supplier list changes constantly. New tools get procured, old ones get replaced. Each new tool that touches personal information needs a data processing agreement before it starts processing. This is a process discipline problem, not a one-time exercise.
The second is employee awareness. Staff turn over. New people join who have never been through your compliance training. The employees who did the original training two years ago have largely forgotten the specifics. POPIA requires that you take reasonable measures to ensure that personal information is handled correctly — which includes making sure the humans doing the handling know what correct looks like.
The third is your data retention policy. POPIA requires that personal information is not held for longer than necessary for the purpose it was collected. In practice this means you need a retention schedule and you need to actually follow it. Most organisations have neither.
What a practical ongoing compliance posture looks like
It is not annual audits and policy documents. It is a short set of standing processes: new supplier intake includes a DPIA check, new employee onboarding includes POPIA training, quarterly review of active vendor agreements, annual data mapping refresh. None of these are complicated. All of them require someone to own them.
The cost of non-compliance beyond the fine
The R10 million fine gets the headlines, but it is rarely the most expensive consequence of a POPIA failure. The real cost is operational. A Regulator investigation consumes management time, legal fees, and internal resources for months. A data breach that triggers notification obligations — which we covered in detail in POPIA breach notification: what you legally must do in the first 72 hours — forces the business into a reactive posture that stops everything else.
Then there is the reputational cost. In South Africa’s business community, a public POPIA breach is remembered. Customers ask questions. Prospects do due diligence. Partners review their data processing agreements more carefully. The business that had a breach and handled it poorly carries that weight for years. The business that had a breach and handled it well — because it had a standing compliance programme, not a once-off project — recovers much faster.
The organisations that understand this do not treat POPIA as a legal problem. They treat it as an operational discipline. The same way they manage financial compliance or health and safety. It is not exciting. It is not a project. It is just how the business runs.
Building the ongoing compliance habit
The businesses that maintain POPIA compliance over time share a common pattern. They have assigned ownership to a specific person, not a committee. That person has a checklist with quarterly triggers. New vendor onboarding includes a data processing agreement check. New employee training includes a POPIA module. The data flow map is updated annually. The retention schedule is reviewed and executed against.
None of these steps are difficult. They just need to happen on a schedule. The difference between a business that does them and one that does not is not budget or sophistication. It is whether someone is responsible and whether the calendar reminds them. That is the difference between a compliance document and being compliant.
Need Help With Your Security or IT?
We work with South African businesses to assess, deploy, and manage security and IT that actually fits. No jargon, no scare tactics. Practical advice and real support.
Contact Us →





