POPIA Is Not a Once-Off Exercise
POPIA compliance for most South African businesses went something like this: someone raised the issue, a consultant was brought in or a policy was drafted internally, an Information Officer was appointed and registered with the Regulator, and the project was declared complete.
That was then. The problem is that compliance is not a project with an end date. It is an ongoing state that your organisation either maintains or drifts away from.
What changes after the initial implementation
When a new employee joins, they are going to handle personal information from day one. Are they trained on what POPIA requires? When a new supplier is appointed — a payroll provider, a marketing platform, a cloud storage service — are you entering into a data processing agreement before they touch any personal data? When a customer asks to see the information you hold about them, does your team know what the process is and can they deliver within the required timeframe?
Most organisations answered these questions correctly in their initial implementation. Most of them have not kept the answers current as the business changed around them.
The Information Regulator is watching
The Regulator was quiet in the first two years after enforcement began. That period is over. Complaints are being received, investigations are underway, and enforcement actions are happening. The fines under POPIA are significant — up to R10 million or up to ten years imprisonment for serious offences — but the more immediate cost for most businesses is reputational. A data breach that triggers a Regulator investigation is a public event.
The organisations that will weather this environment well are not the ones with the most sophisticated compliance programs. They are the ones that have actually embedded the principles into how they operate day to day, rather than having them live in a document that nobody reads.
The three areas that drift fastest
The first is third-party vendor agreements. Your supplier list changes constantly. New tools get procured, old ones get replaced. Each new tool that touches personal information needs a data processing agreement before it starts processing. This is a process discipline problem, not a one-time exercise.
The second is employee awareness. Staff turn over. New people join who have never been through your compliance training. The employees who did the original training two years ago have largely forgotten the specifics. POPIA requires that you take reasonable measures to ensure that personal information is handled correctly — which includes making sure the humans doing the handling know what correct looks like.
The third is your data retention policy. POPIA requires that personal information is not held for longer than necessary for the purpose it was collected. In practice this means you need a retention schedule and you need to actually follow it. Most organisations have neither.
What a practical ongoing compliance posture looks like
It is not annual audits and policy documents. It is a short set of standing processes: new supplier intake includes a DPIA check, new employee onboarding includes POPIA training, quarterly review of active vendor agreements, annual data mapping refresh. None of these are complicated. All of them require someone to own them.
Hayshack provides practical POPIA advisory for South African businesses — not legal counsel, but the structured operational assessment of where you actually stand and what needs attention. Get in touch if you want a clear picture rather than a compliance document. For organisations wanting continuous visibility into how personal data flows through their IT environment, Claritam’s monitoring layer makes the data mapping question answerable without manual effort.