The Information Regulator is actively enforcing the Protection of Personal Information Act. A fine of R5 million has already been issued in South Africa — with more to follow. Non-compliance is not a risk to manage later. It is a liability you carry today.
POPIA applies to every South African business that collects, stores, processes or shares personal information — with no exceptions for size or industry. The Act also requires every business, regardless of size, to have a PAIA Manual in place under Section 51 of the Promotion of Access to Information Act.
POPIA applies from the moment you collect a customer's name and email address. Every sole trader, SME and corporation is subject to the Act.
The Information Regulator is issuing enforcement notices, conducting investigations, and has already imposed a R5 million fine. This is not theoretical risk.
Section 51 of the Promotion of Access to Information Act requires every business to have a compliant PAIA Manual — regardless of size or structure.
We handle every element of your compliance — from the first appointment to the annual review. Nothing is left to chance.
We formally appoint and register your Information Officer (and Deputy where needed) with the Information Regulator, with a clear legal mandate and defined responsibilities.
We custom-draft your PAIA Manual from scratch, meeting all prescribed legal requirements — not an adapted template. Required for every business under Section 51.
A thorough audit of your business against all 8 conditions for lawful processing under POPIA. The result is a clear written report: where you are exposed, what must be fixed, and in what order.
We draft the full set of internal compliance policies: POPIA Compliance Policy, Information Security Policy, Data Retention & Destruction Policy, and Data Breach Incident Response Policy.
We draft your website Privacy Policy, Cookie Policy, and all Privacy Notices for employees, customers and suppliers — plus prescribed consent forms for data subject requests.
Any third party processing personal information on your behalf — payroll providers, IT companies, cloud services — must be bound by a POPIA-compliant Operator Agreement. We identify and draft these.
We establish a formal procedure for handling access, correction and deletion requests, draft the required forms, and prepare standard response templates so your business responds correctly and on time.
Practical awareness training for all staff and dedicated training for your Information Officer, covering specific legal duties. Attendance certificates issued and a training register maintained.
Compliance is not a once-off exercise. We conduct an annual review of all documents, update your PAIA Manual, inform you of regulatory changes, and support you when incidents or regulator correspondence arise.
We manage the entire process from discovery to certification, so you can focus on your business while we build your compliance framework.
Week 1 – 2
We get to know your business, your data flows, and your current compliance position before any work begins.
Week 2 – 3
We formally appoint and register your Information Officer (and Deputy where needed) with the Information Regulator.
Week 3 – 4
We custom-draft your PAIA Manual from scratch to meet all prescribed legal requirements under Section 51.
Week 4 – 6
All required internal compliance policies drafted — POPIA Compliance, Information Security, Data Retention and Breach Response policies.
Week 5 – 7
We map every category of personal information your business collects, processes, stores or shares — and identify your exposure points.
Week 7 – 8
We draft your Privacy Policy, Cookie Policy, and all Privacy Notices for employees, customers and suppliers — plus required consent forms.
Week 8 – 9
We assess and document the technical and organisational security measures required to protect personal information your business holds.
Week 9 – 10
We identify all third parties processing data on your behalf and draft POPIA-compliant Operator Agreements to bind each of them.
Week 10 – 11
Practical awareness training for all staff and dedicated training for your Information Officer. Certificates issued and a training register maintained.
Week 11 – 12
We establish your formal procedure for access, correction and deletion requests, and implement your data breach response plan and notification procedure.
Two options to suit your budget — both include the full 10-phase implementation over approximately 12 weeks.
Spread the cost over 12 months while getting full compliance from day one — with continued expert support for every incident and regulatory development that arises.
Get StartedContact BizLegal for a free initial conversation about your POPIA & PAIA compliance position. We will tell you exactly where you stand and what it takes to get compliant.