All articles
POPIA8 min read

POPIA compliance for companies: a checklist that actually maps to the Act

POPIA is not a policy you write once. It is eight conditions you have to operate against — here is how to turn the Act into something your team can actually run.

The Complio team

The Protection of Personal Information Act (POPIA) governs how organisations in South Africa collect, use, store and share personal information. Most companies have a privacy policy on their website; far fewer can show they actually meet the Act's eight conditions for lawful processing. That gap is what the Information Regulator looks for.

The eight conditions, in plain terms

  • Accountability — someone (the Information Officer) is responsible and can evidence compliance.
  • Processing limitation — you process lawfully, minimally, and with a legal basis or consent.
  • Purpose specification— you collect for a specific, defined purpose and don't keep data longer than needed.
  • Further processing limitation — new uses must be compatible with the original purpose.
  • Information quality — you keep personal information accurate and up to date.
  • Openness — you tell people what you collect and why, and you maintain a PAIA manual.
  • Security safeguards — you protect data with appropriate technical and organisational measures, and report breaches.
  • Data subject participation — people can access, correct and delete their information.

What the Information Officer actually has to do

Every organisation has an Information Officer by default — usually the head of the entity — and the role can be delegated to deputies. Their duties are concrete: register with the Information Regulator, develop a compliance framework, ensure a PAIA manual is in place, handle data subject and access requests, and deal with the Regulator.

POPIA and PAIA travel together.Your PAIA manual is part of the “openness” condition, and access requests are handled under PAIA. Treating them as one obligation — rather than two unrelated documents — is what keeps them current.

Where teams fall short

  • No record of where personal information lives or who it's shared with.
  • A privacy policy, but no evidence of the underlying controls.
  • Information Officer never registered with the Regulator.
  • No process for breach notification within the required timeframe.
  • No way to action a data subject access or deletion request.

Turning the Act into a workflow

POPIA compliance is durable only when it's operational — Information Officer appointments recorded, the PAIA manual maintained, access requests logged and answered, and an audit trail behind it all. Complio keeps these as structured, dated records tied to each entity, so when the question comes you can show compliance rather than describe it.

Keep reading

Annual returns

CIPC annual returns: deadlines, fees and how to avoid deregistration

Read articleBeneficial ownership

Beneficial ownership filing with CIPC: a practical 2026 guide

Read article
See it in practice

Bring this into one compliance workspace

Complio turns beneficial ownership, annual returns, POPIA and your company secretarial records into structured, audit-ready records. Book a walkthrough.

Book a demoTake a product tour

POPIA-aligned · role-based access · full audit trail