POPIA has been enforceable since July 2021, and the Information Regulator has shown it's not bluffing — with enforcement notices and fines now a reality. But for most SMBs, the path to compliance isn't as daunting as it sounds.
Here's what actually matters, stripped of the consultant jargon.
Step 1: Know what data you hold
Before you can protect personal information, you need to know what you have. Map out:
Customer data:: Names, ID numbers, addresses, contact details, payment information
Employee data:: HR records, payroll information, medical details, performance reviews
Supplier data:: Contact details, banking information, contracts
Website data:: Contact form submissions, newsletter signups, analytics with identifiable data
For each category, answer: Where is it stored? Who has access? How long do we keep it? Is it backed up, and if so, where?
Step 2: Secure the basics
The Information Regulator doesn't expect SMBs to have enterprise-grade security. They expect **reasonable measures**. In practice, this means:
Encryption:: Laptops and servers storing personal information must be encrypted. BitLocker (Windows) or FileVault (Mac) are free and sufficient.
Access control:: Not everyone in the company needs access to everything. Implement role-based access with unique user accounts — no shared logins.
Firewall:: A properly configured business-grade firewall (Fortinet, MikroTik, pfSense) that blocks unauthorised inbound traffic.
Email security:: Most POPIA breaches start with a phishing email. Implement email filtering (Mimecast, Microsoft Defender) and train your staff.
Updates:: Keep all systems patched. Unpatched vulnerabilities are the #1 entry point for attackers.
Backups:: If you're hit by ransomware, your backup is your only way out. Follow 3-2-1: three copies, two different media, one off-site.
Step 3: Get consent and be transparent
Your website needs a privacy policy that explains what data you collect, why, and how long you keep it. Contact forms need a consent checkbox. Marketing emails need an opt-out mechanism.
The key phrase: "We collect only what we need, we use it only for the purpose you gave it to us, and we delete it when we no longer need it."
Step 4: Appoint an Information Officer
For most SMBs, this is the owner or managing director. It's a legal designation, not a full-time role. Register with the Information Regulator — it's free and takes 15 minutes.
Step 5: Have a breach response plan
If personal information is compromised, you have to notify the Regulator and affected individuals. Write down: who gets called, what steps you take to contain the breach, and who communicates with affected parties. A plan on paper is infinitely better than figuring it out during a crisis.
What happens if you don't comply?
Enforcement is ramping up. The Regulator can issue administrative fines of up to R10 million. More importantly, clients are increasingly requiring POPIA compliance as a condition of doing business. Cyber insurance policies now require it too.
The bottom line
POPIA compliance for an SMB is mostly about doing the basics well: know your data, secure your systems, be transparent, and have a plan. You don't need a R50,000 consultant. You need a systematic approach and the right technical controls — most of which you should have anyway.



