If you have less than 50 employees and your processing of personal information does not pose a significant risk to people, here is what you should and shouldn’t do. Most importantly, don’t panic. No one is going to jail. There is a lot of noise about POPIA and almost all of it is not intended for you. There are some things you can do that will cost you virtually nothing and everything will be fine. Don’t get persuaded into buying some POPIA toolkit, training, document or solution that you don’t need.

Less than 50 employees

Any organisation that has less than 50 employees is considered a small business from a data protection perspective. If you have less than 10, you are probably a micro-enterprise. But POPIA can still have a high impact on a small organisation if it poses a significant risk to people (data subjects). For example, an organisation with three employees with a database of the HIV status of most South Africans.

If you’re a small or medium business but the risk is high, consider joining our data protection for small and medium enterprises (SMEs) programme.

You pose a low risk to people

Some organisations do not pose a significant risk to people (or data subjects) and the impact on them is low. They usually have these characteristics.

  1. Processing personal information is not a key part of their business model. They are not data-driven.
  2. They process some personal information but little special personal information or children’s personal information.
  3. They have a low number of data subjects. For example, they only have 5 employees and 20 customers. Or they have no employees and only businesses for customers.
  4. The likelihood of them causing substantial damage or distress (including injury to feelings or anxiety) to their data subjects is low (see section 109(3)(e)).
  5. They don’t need to get prior authorisation from the regulator.

No one is going to jail.

Typical examples of low-risk small businesses

  • Beauty service providers (like a hair salon)
  • Small farms (like dairy farms)
  • Small physical retail stores (like selling ice cream to the public from a physical store)
  • Take away food shop or restaurant (like a fish and chips shop or pizzeria)
  • Coffee shop or cafe (like the picture above)
  • Guesthouses or Airbnbs (like someone who rents out four rooms)

What you should do – and it costs virtually nothing

  1. Consider where someone might suffer harm due to your activities and try to stop it from happening.
  2. Register your information officer online with the regulator. It’s the head of your business – like the shareholder, sole proprietor or main partner or member.
  3. Respect people’s privacy and protect their personal information from disclosure.
  4. Check that you have reasonable and appropriate security measures in place to secure the personal information you process, especially any bank account numbers.
    1. Use a password manager and anti-virus software.
    2. Install an SSL certificate on your website.
    3. Secure your physical office and any physical records that may have personal information in them.
    4. Ask anyone who processes personal information for you to agree to secure it.
  5. If you find out that an unauthorised person accessed the personal information you hold, tell the regulator about it by email, as well as the people whose information it is.
  6. Use a mass mailer to send any newsletters. Enable people to opt-out of any direct marketing communications you send to them.
  7. Consider adding a privacy policy to your website. You can use our free template to do it.
  8. Enable your data subjects to complain to you if they are unhappy with how you processed their personal information and then resolve it. They can probably just use the “contact us” page on your website.

You could watch our complimentary videos and answer our five questions but it is not essential. Try to do as much of what needs to be done yourself. If you have questions and can’t find answers on our website, contact the regulator via email.

Have a cup of coffee and focus on your business.

If you are a low-risk small business for POPIA, you’re probably also a low public-interest organisation for PAIA and you can read what you should and shouldn’t do for PAIA.

What you should NOT do for POPIA

  1. Panic or let this issue give you anxiety. There are enough other important things to worry about.
  2. Do a gap analysis or an assessment. It is just a waste of your time.
  3. Speak to a lawyer about the impact of data protection on your organisation.
  4. Hire a law firm or consultant to make you POPIA compliant.
  5. Join any programme or project (like the Michalsons programme) or buy any toolkit or solution. You simply don’t need it.
  6. Buy data protection software.
  7. Attend a workshop – answering the five questions is enough.
  8. Apply for prior authorisation – you probably don’t need it.

Legal guidance by its nature is intended for a large diverse audience – it does not deal with a specific client’s specific issue. Because of this, our guidance comes with a disclaimer. This article is published for general guidance purposes only. The content does not constitute specific legal advice.