POPIA Compliance Certificate: What Buyers Need
There is no official POPIA certificate from the Information Regulator. Here is what attestations actually prove and what evidence buyers really want.

There is no official POPIA certificate from the Information Regulator. Here is what attestations actually prove and what evidence buyers really want.

Last updated: 28 May 2026. Written for South African owner-operators who just got asked for "their POPIA certificate" by a buyer or a tender and don't know what they're being asked for.
A customer or a tender document asks: "Please attach your POPIA compliance certificate."
Here's the awkward truth most owner-operators don't know: there is no such thing as a government-issued POPIA compliance certificate. The Information Regulator doesn't certify businesses. There's no central register of "POPIA-compliant companies." There's no badge.
What there is — and what the question is usually asking for — is evidence. That may include a third-party attestation, but the useful evidence is more practical: a POPIA framework, accountable owners, operator agreements, retention rules, and proof that customer-data workflows are controlled.
This piece explains how attestations work, who issues them, what they cost in ZAR (South African Rand), and when buyers really ask. It also explains when a POPIA framework → on its own is enough.
POPIA was modelled on the European Union's General Data Protection Regulation (GDPR). The GDPR doesn't have an official compliance certificate either — but it allows for "approved certification mechanisms" that European data protection authorities can recognise. Some of those mechanisms exist (ISO 27701 is the closest thing).
In South Africa, the same architecture sits in the law, but the Information Regulator hasn't approved any certification scheme. So nothing "official" exists today. What exists is a market of consultancies offering POPIA attestations — useful, but not the same as a government stamp.
When a buyer's procurement form asks for "your POPIA compliance certificate," they usually mean: "Send us something that shows you've taken POPIA seriously." A framework document plus a third-party attestation usually satisfies that. So does a POPIA framework → plus a written self-declaration, which is the cheaper route covered below.
An attestation is one professional's signed opinion. It typically covers what's in place, who's accountable, and what evidence is filed — a point-in-time snapshot. It doesn't promise the future and it doesn't replace the Regulator's view.
What a good attestation does cover:
What an attestation does not prove:
Read the small print. A good attestation says exactly what it does and doesn't cover.
Roughly four kinds of issuer in South Africa today, in price-tier order from highest to lowest.
| Issuer type | Indicative price (ZAR) | What you get | Best for |
|---|---|---|---|
| Big Four audit firms — PwC, Deloitte, KPMG, EY | R 60 000 – R 200 000+ | Most rigorous. Issued under a defined assurance standard (often ISAE 3000). | Tenders for government, financial services, or international corporates. |
| Specialist privacy consultancies — e.g. Michalsons, Information Officer Solutions | R 15 000 – R 50 000 | Strong specialist knowledge of POPIA, often staffed by lawyers + IT people. | SMBs serving enterprise buyers. |
| SA law firms | R 20 000 – R 80 000 | A POPIA review plus an opinion letter. Carries legal-opinion weight. | Contracts where the buyer wants a signed legal view. |
| General IT consultancies | R 5 000 – R 15 000 | Quality varies wildly. Check the attester's actual POPIA experience before commissioning. | Low-stakes procurement where the buyer just wants to see something signed. |
The single biggest cost driver isn't the firm — it's whether you have a framework in place already. If you have a complete framework → (policy, procedures, RACI, evidence schema), the attester is reviewing, not building. If you don't, the attester does both jobs at attester rates.
Most attestations follow a similar shape — four weeks if you're prepared, six to eight if you're starting from scratch.
If you're starting from scratch (no framework, no policy), the prep work pushes the timeline to 6–8 weeks. If you have everything in place, an attestation can land in 10 working days.
The cheapest way to compress the timeline is to build the framework yourself first — the POPIA compliance framework template → is the editable starting point. Most owner-operators can produce a first draft in a working day.
Most SA SMBs don't need a POPIA attestation. They need a POPIA framework. The two get conflated in conversation.
You probably need an attestation when:
You probably don't need an attestation when:
Spending R 30 000 on an attestation no-one will ever read is the kind of decision a POPIA consultant will quietly encourage. Be honest about whether anyone is going to ask.
For most SMBs, a self-completed POPIA framework plus a written self-declaration is enough. Combined with a copy of your framework →, a self-declaration passes most procurement reviews. It is not an attestation, and it shouldn't be called one — but it is honest, evidence-based, and free.
Self-declaration template:
[Business Name] — POPIA Self-Declaration
>
Date: [date]
>
[Business Name] declares that:
>
1. We have appointed an Information Officer, [Name], registered with the Information Regulator via the E-Services Portal. 2. We maintain a POPIA Policy, reviewed annually, current version dated [date]. 3. We operate condition-by-condition procedures aligned with the eight POPIA conditions. 4. We maintain operator agreements with all third-party processors under POPIA Section 21. 5. We respond to PAIA access requests within 21 working days and to POPIA Form 2 correction or deletion requests within 30 days, per the April 2025 amendment regulations. 6. We maintain an evidence register supporting each of the above.
>
Signed by: [Director Name] · Capacity: Director · Date: [date]
If your buyer pushes back on a self-declaration — "we need an independent attestation, not your own word" — that's a real signal, and the attestation is justified. If they accept it, you've saved R 15 000+.
If you commission an attestation, treat it as the start of an annual cycle, not a one-off purchase.
Partly. ISO 27001 covers information security management, which overlaps with POPIA Condition 7 (security safeguards). It does not cover Conditions 1–6 or 8. ISO 27701 (the privacy extension) is closer, but still not a POPIA-specific attestation. Most procurement teams asking for "POPIA certificate" will not accept ISO 27001 alone.
No. The Section 51 PAIA Manual is a different document, required by a different law (the Promotion of Access to Information Act), and serves a different purpose (transparency about what records you hold). Many businesses confuse the two. Keep both — they're not substitutes for each other.
We don't issue POPIA attestations. (We're integrators, not auditors.) But we build the evidence — audit logs, consent records, retention enforcement, data-subject-request fulfilment across WhatsApp + Sage + your AI tools — that an attestation needs.
The more prepared businesses have a much easier attestation process. Attestation Week 1 (gap review) goes much faster when every operator agreement, every audit log, and every consent record is already in one place.
If you're being asked for a POPIA certificate and don't know where to start, the AI Process Audit gives us an hour to understand the workflow and evidence gap. We'll tell you whether an attestation is likely to matter or whether a framework plus self-declaration is the more sensible next step.
BOOK A FREE AI PROCESS AUDIT
One free hour, remote or in person. We map one real workflow, show you where the value is leaking, and give you an honest next step. If it is not worth doing, we will tell you, and you keep the map.
01
You send this
A few details about the workflow you want to improve.
02
We reply same business day
With a Calendly link for a 1-hour slot that suits you.
03
1-hour audit
Workflow map, useful questions, and an honest go / no-go.
POPIA-aware handling. No mailing-list add. No auto-reply chain.