1. Understand what POPIA protects
Any personal information of any identifiable South African — customers, staff, suppliers. Name, email, ID number, biometric data, location, online identifiers. If you hold it, POPIA applies.
2. Map your processing to the eight conditions
Accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Every policy and process should map to these.
3. Appoint an Information Officer
By default the business head is the Information Officer and must be registered with the Information Regulator. This is free and takes 30 minutes online.
4. Build a record of processing
Catalogue every place personal information is held: CRM, accounting, email, HR files, CCTV, WhatsApp groups. For each, record what is collected, why, who accesses it, and how long it's kept.
5. Implement security safeguards
POPIA requires 'appropriate technical and organisational measures'. In practice: access controls, encryption at rest for sensitive fields, MFA for admin systems, endpoint protection, logging, and an incident response plan.
6. Prepare a breach notification process
If personal information is compromised, you must notify the Information Regulator and affected people 'as soon as reasonably possible' — practically, inside 72 hours. Have a template ready.
7. Sign vendor operator contracts
Any third party processing personal information on your behalf must have a written operator agreement with specific POPIA clauses. Keep copies.
8. Automate the evidence with Citadel Frame
The POPIA compliance profile inside Citadel Frame Fortress maps every control to evidence, produces auditor-ready reports, and flags gaps with remediation steps.