South Africa's Protection of Personal Information Act became fully enforceable in July 2021. Since then, the Information Regulator has steadily escalated its approach, moving from education and awareness into active enforcement, administrative fines, and criminal referrals. No business, regardless of size or sector, is beyond its reach.

The act sets out eight conditions for the lawful processing of personal information, covering everything from how consent is collected to how breaches must be reported. Get any of them wrong, and the consequences range from reputational damage to fines of up to R10 million. Yet many businesses still treat POPIA as a once-off checkbox exercise rather than an ongoing operational obligation.

What follows is a practical breakdown of the most common pitfalls, split between the challenges facing smaller businesses and the more complex traps that tend to ensnare larger organisations.

Where SMEs are getting it wrong

Small and medium enterprises face a specific set of POPIA challenges. Research published in 2025 found that SMEs face significant compliance challenges due to constrained financial and technical resources, often lacking dedicated legal or compliance staff to interpret and implement the law correctly.

1. Assuming size grants exemption

POPIA applies to every entity that processes personal information in South Africa, regardless of how small the operation. A sole trader collecting customer email addresses, a startup running a CRM, a freelancer storing client details on a spreadsheet: all fall under the act. There is no SME carve-out.

2. Not appointing an Information Officer

Every organisation that processes personal information must appoint an Information Officer and register them with the Information Regulator. For small businesses, this role typically defaults to the CEO or business owner automatically, but few are aware of this and fewer still have formally registered. The April 2025 amendments introduced new obligations for Information Officers specifically, making this gap more consequential than ever.

3. Collecting more data than necessary

POPIA's data minimisation principle is straightforward: only collect what you actually need, for a defined and lawful purpose. Many small businesses gather information out of habit or vague future intent, leaving themselves exposed. Holding data beyond its useful purpose is a compliance risk in itself.

4. Ignoring direct marketing rules

The Information Regulator issued its first direct marketing enforcement notice in February 2024 against a training institution that was sending unsolicited communications and ignoring opt-out requests. The company was ordered to immediately cease all unsolicited electronic communications. Many small businesses run exactly this kind of marketing, unaware that consent under POPIA must be specific, voluntary, and informed, and that silence or pre-ticked boxes do not count.

5. No privacy policy on the website

POPIA requires any organisation that collects personal information to publish a privacy policy that explains what is collected, why, and what happens to it. Many SME websites still lack one entirely, or rely on generic templates copied from unrelated businesses in other jurisdictions that do not meet South Africa's specific requirements.

Reality check

The Information Regulator is concentrating enforcement on cases with widespread impact, but enforcement notices can and do reach smaller operators. The February 2024 action against FT Rams Consulting, a training institution, was a clear signal that no sector is off limits.

Where large organisations are still falling short

Larger organisations tend to have compliance frameworks in place, but size creates its own vulnerabilities. The more people, systems, and third parties involved in data processing, the more places things can go wrong.

1. Treating compliance as a technology problem

Bowmans' 2025 analysis of POPIA challenges notes that organisations frequently emphasise their technical security measures while overlooking the organisational side. The Information Regulator has stressed that employee conduct and operational procedures matter just as much as firewalls and encryption. A well-designed IT infrastructure cannot compensate for a culture where staff share personal information casually, as the enforcement notice against the South African Police Service for sharing crime victims' personal details on a WhatsApp group demonstrated.

2. Inadequate compliance frameworks

Many organisations mistake a security policy or access management policy for a POPIA compliance framework. They are not the same thing. A proper compliance framework must specify the steps being taken to satisfy each of POPIA's eight conditions for lawful processing. The Information Regulator's assessments routinely flag the absence of personal information impact assessments and documented compliance frameworks as major gaps.

3. Third-party and supplier blind spots

The Dis-Chem data breach of 2022, which exposed the personal information of 3.6 million customers, originated through a third-party service provider. Under POPIA, a responsible party cannot outsource its accountability. If your supplier suffers a breach involving your customers' data, you bear legal exposure. Large organisations with extensive vendor networks are particularly vulnerable to this gap.

4. Misunderstanding breach reporting obligations

Unlike the GDPR, POPIA currently contains no risk or materiality threshold for reporting a data breach. Any breach, regardless of scale, must be reported if there are reasonable grounds to believe that an unauthorised person has accessed personal information. In April 2025, the Information Regulator launched a formal e-Services Portal as the mandatory channel for submitting breach notifications. Organisations that have not updated their incident response plans to use this system are already behind.

5. Cross-border transfer failures

POPIA restricts transfers of personal information outside South Africa to countries that maintain an adequate level of data protection. Multinational organisations and businesses using cloud services hosted outside South Africa often process such transfers without the required documentation or safeguards in place. The 2025 regulatory amendments sharpened obligations around cross-border transfers, including requirements to inform data subjects about where their data is going and the protections in place at the receiving end.

6. Providing lesser protections to South African users

In 2024, the Information Regulator issued an enforcement notice against a major social media platform after finding that its terms and conditions for South African users offered weaker data privacy protections than it provided to users in other jurisdictions. Organisations operating globally must ensure that their South African users receive protections that are at least equivalent to those offered elsewhere.

"The Information Regulator has shifted from education to enforcement. Treating POPIA as a compliance checkbox is no longer a viable strategy."

Enforcement is accelerating

During 2024 alone, the Information Regulator issued four enforcement notices against public and private entities, including one against the Department of Justice, against which it imposed its first-ever administrative fine after the department failed to comply with an earlier notice. The Regulator has also signalled its intention to approach Parliament to expand its enforcement powers further, including the ability to impose immediate sanctions rather than waiting for the notice process to conclude.

The 2025 amendments to POPIA's regulations introduced additional obligations for Information Officers, simplified the mechanisms through which data subjects can object to processing and request deletion, and clarified consent requirements for electronic direct marketing. Organisations that built their compliance programmes before April 2025 need to reassess them against the updated framework.

New technologies are adding further complexity. The Information Regulator has established a dedicated committee to address AI and facial recognition, signalling that the compliance landscape will only become more demanding. Businesses that have been slow to act are running out of runway.