Last updated: 28 May 2026. Print this. Tick the boxes before a workflow starts moving customer, staff, supplier, message, or document data.
Most South African owner-operators can name two POPIA things: they got a once-off lawyer pack in 2021, and there is an Information Regulator that hands out fines. The gap is operational: which data is collected, where it goes, who can see it, how long it stays there, and what changes when automation or AI enters the workflow.
This checklist is a practical pre-automation scan. Print it, tick the boxes, and you will know which control points need attention before the workflow gets faster.
It's not a substitute for the POPIA compliance pillar → (which explains why each item matters) or the framework template → (which gets you to evidence-record level). It's a fast self-audit you can run on a Tuesday morning between coffees.
···
TL;DR — the seven items most SMBs trip on
If even one of these makes you wince, finish the checklist below.
- 01Information Officer not registered. Even one-person businesses need to register their Information Officer with the Regulator. Most owners don't know they're the IO by default — the CEO is the IO unless someone else is designated.
- 02Privacy notice not visible at the moment of collection. A privacy notice buried in your website footer doesn't count when you take customer details over WhatsApp.
- 03No record of consent for direct marketing. Broadcast lists on WhatsApp Business need explicit opt-in. A name in your customer-relationship-management database is not consent.
- 04No deletion / retention schedule. "We keep customer data forever" is not a policy. It's a fine waiting to happen.
- 05Third-party processors not under contract. Your accountant, CRM provider, automation platform, AI provider, or virtual assistant may be an "operator" under POPIA and may need an operator agreement under Section 21.
- 06No process for data subject requests. When a customer asks "what do you have on me?" or "delete me", the April 2025 amendments give you 30 days. Most SMBs have 0 days of preparation.
- 07Cross-border data transfers undocumented. ChatGPT, Google Workspace, Microsoft 365 all process your data outside South Africa. You need to know which and document the lawful basis under Section 72.
···
1. The pre-checklist — does POPIA actually apply to you?
Quick yes/no. Almost certainly yes — and the rules don't bend with business size.
Tick any of these and POPIA applies:
- –[ ] We collect customer names, phone numbers, emails or ID numbers
- –[ ] We have a customer-relationship-management database, spreadsheet, or accounting system with customer records
- –[ ] We send customer information to a third party (accountant, courier, payment provider)
- –[ ] We store employee records (most businesses)
- –[ ] We have supplier records with individual contact people
- –[ ] We use a website with a contact form
- –[ ] We use WhatsApp Business with customer conversations
- –[ ] We run any chatbot — scripted, WhatsApp-based, or generative-AI-powered
Ticked at least one? You're a responsible party under POPIA. Continue.
···
2. The eight conditions — quick self-audit
POPIA spells out eight conditions every business must meet. Walk through each one and tick honestly. Anything blank is a remediation item.
Condition 1 — Accountability
- –[ ] We have an Information Officer (named, in writing)
- –[ ] The Information Officer is registered with the Information Regulator's E-Services Portal
- –[ ] We have a written POPIA policy
- –[ ] Someone reviews it at least annually
Condition 2 — Processing limitation
- –[ ] We collect the minimum personal information needed for each purpose
- –[ ] We have a lawful basis (consent / contract / legal obligation / legitimate interest) for each type of processing — see POPIA Section 11
- –[ ] We can show how we obtained consent where consent is the basis
- –[ ] We refuse to over-collect on intake forms
Condition 3 — Purpose specification
- –[ ] Every collection point tells the person why we're asking
- –[ ] We don't re-purpose data without fresh consent
- –[ ] We have a written retention schedule (see Section 5 below)
Condition 4 — Further processing limitation
- –[ ] We never use data for a purpose the person didn't agree to
- –[ ] If we want to use data for marketing, we have a separate consent for that
Condition 5 — Information quality
- –[ ] We have a way for people to correct their information
- –[ ] We periodically clean records (de-duplicate, archive)
- –[ ] We don't act on data we know is wrong
Condition 6 — Openness
- –[ ] We have a published privacy notice
- –[ ] It's visible at the moment we collect data (not buried in the footer)
- –[ ] It's in plain English, not legal-speak
- –[ ] It lists what we collect, why, who we share it with, where it goes, and how long we keep it
Condition 7 — Security safeguards
- –[ ] Passwords are strong and not shared
- –[ ] Two-factor authentication is on for email, CRM, accounting
- –[ ] Devices with personal information are encrypted
- –[ ] Old data on retired laptops is wiped before disposal
- –[ ] Backups are encrypted and access-controlled
- –[ ] Staff have signed a confidentiality clause
- –[ ] We have a breach playbook ready BEFORE we need it (per Section 22)
Condition 8 — Data subject participation
- –[ ] We have a written procedure for "what do you have on me?" requests
- –[ ] We can respond within the deadline (21 working days for PAIA access requests; 30 days for POPIA correction/deletion under Form 2 since April 2025)
- –[ ] We have a written procedure for "delete me" requests
- –[ ] We log every data subject request and our response
···
3. The April 2025 amendments — three new things
The April 2025 amendment regulations (Government Gazette GG52523, commenced 17 April 2025) added obligations most owners haven't caught up to. Michalsons' plain-English read is the best short summary; the three things that touch this checklist are:
- –[ ] Direct-marketing consent is broader. Now covers WhatsApp, SMS, e-mail, fax, automated calling, AND live phone calls — see the Information Regulator's Direct Marketing Guidance Note. A name in your database is not consent. Explicit opt-in (form, checkbox, signed clause) is.
- –[ ] WhatsApp broadcast lists need their own consent. "We add new customers to the broadcast list" without separate notification is a direct-marketing breach. See the WhatsApp companion article → for the consent-capture mechanics.
- –[ ] 30-day response window on Form 2 requests. Once a customer submits a Form 2 (correction or deletion), you have 30 days to respond. Set up the inbox and the response template now.
The bigger 2025-26 enforcement context — the Department of Basic Education R 5 million fine, the WhatsApp enforcement notice on Meta, the OUTsurance live-call marketing case — is covered in full in the pillar's "What changed in 2024–2026" section →.
···
4. The Information Officer — the easiest thing to fix today
The single highest-leverage compliance step. Most SA SMBs are non-compliant on this one item alone. It takes ten minutes and costs nothing.
- –[ ] Pick an Information Officer (the CEO by default under POPIA Section 55)
- –[ ] Register them with the Information Regulator's E-Services Portal
- –[ ] Print the registration confirmation
- –[ ] File the registration in your "POPIA evidence" folder
- –[ ] Update your privacy notice with the Information Officer's name + contact email
If you want a step-by-step on the registration itself, Michalsons has a good FAQ on the process. Budget twenty minutes including the captcha and the verification email round-trip.
···
5. The retention + deletion schedule — write it down today
POPIA doesn't tell you how long to keep data. It tells you that "indefinite" is not an answer (Section 14). Write the numbers below into a one-page schedule, sign and date it, file it.
Quick retention schedule template:
- –[ ] Customer order records. Kept for X years from the last transaction. (Default: 5 years — matches the Tax Administration Act.)
- –[ ] Customer marketing consents. Kept until consent is withdrawn + 6 months audit window.
- –[ ] WhatsApp conversations. Kept for X years from end of customer relationship. (Default: 3 years.)
- –[ ] Chatbot conversation logs. Kept for X months. (Default: 12 months unless a specific use case demands longer.)
- –[ ] Employee records. Kept for X years from end of employment. (Default: 5 years for tax + payroll.)
- –[ ] Supplier records. Kept for X years from last invoice. (Default: 5 years.)
- –[ ] CCTV / access logs. Kept for X days. (Default: 30 days unless an incident triggers retention.)
Fill in your numbers. That is your retention schedule.
···
6. The third-party processor list — who has access?
Every entity that touches your customer data is an "operator" under POPIA Section 21 and needs a written agreement. Fasken's guide to operator contracts spells out what should be in one.
Make the list:
- –[ ] Accounting software provider (Sage, Pastel, Xero, QuickBooks)
- –[ ] Customer-relationship-management provider (HubSpot, Salesforce, Pipedrive, Zoho)
- –[ ] Email provider (Google Workspace, Microsoft 365)
- –[ ] WhatsApp Business Solution Provider — see the WhatsApp companion article → for the six SA providers and what each publishes
- –[ ] Generative-AI tools (ChatGPT, Claude, Gemini, Microsoft Copilot) — see the chatbot companion article → for the seven vendor questions
- –[ ] Backup provider (Backblaze, Dropbox, OneDrive)
- –[ ] Payment processor (PayFast, Yoco, Stripe, Peach)
- –[ ] Marketing platform (Mailchimp, Sendgrid)
- –[ ] Your accountant (the human, not the software)
- –[ ] Your virtual assistant or bookkeeper
For each one:
- –[ ] We have an operator agreement (a Data Processing Agreement, or POPIA-compliant data processing terms)
- –[ ] We know whether they process data inside or outside South Africa
- –[ ] We have notified customers about cross-border transfers where they happen
···
7. The data subject request procedure — sketch it now
A customer emails: "Please send me everything you have about me." For a PAIA access request you have 21 working days. For a POPIA Form 2 correction or deletion you have 30 days. Either deadline is short if you start cold.
- –[ ] Inbox. A named address (privacy@ or info@) that we check
- –[ ] Owner. The Information Officer is the named responder
- –[ ] Identity verification. The steps we take to confirm the requester is who they say they are
- –[ ] Search procedure. Where we look (CRM, accounting, email, WhatsApp Business, chatbot logs, backups)
- –[ ] Response template. A Word / Google Doc draft you can fill in fast
- –[ ] Log. Every request and our response stored in a "DSR log" with a date
If you don't have those six lines written somewhere, you're not ready for the next request that lands.
···
8. The cross-border check — where does your data live?
If you use any cloud tool, your data probably sits outside South Africa. POPIA Section 72 says you need either the data subject's consent for the cross-border transfer, a legal mechanism that gives the data equivalent protection, or a binding corporate rule from the foreign processor. The Information Regulator's Transborder Flows of Information guidance note is close to finalisation (Michalsons preview, March 2026) — when it lands, the standard hardens.
Quick check:
- –[ ] We know which tools process data outside South Africa
- –[ ] We have updated our privacy notice to disclose the destinations (e.g. "European Union, United States")
- –[ ] We rely on each vendor's Standard Contractual Clauses or Data Processing Addendum
- –[ ] We have a fallback if a vendor changes their data residency
- –[ ] We maintain a one-page cross-border register listing every cloud tool, its host country, and the legal basis for the transfer
···
9. The evidence folder — one place, easy to find
When the Information Regulator (or a buyer's procurement team) asks for POPIA evidence, you have one folder. Everything below in one place, one named owner, reviewed at least once a year.
- –[ ] POPIA policy
- –[ ] Information Officer registration confirmation
- –[ ] Privacy notice (current version)
- –[ ] Consent records (forms, opt-in logs, WhatsApp opt-in timestamps)
- –[ ] Retention schedule (Section 5 above, filled in)
- –[ ] Third-party processor list with operator agreements (Section 6 above)
- –[ ] Data subject request log (Section 7 above)
- –[ ] Cross-border transfer disclosures (Section 8 above)
- –[ ] Annual review notes
For the full editable framework that produces this evidence, see POPIA compliance framework →.
···
How Aitsa fits
Most of the items above are owner-operator policy decisions, not engineering work. But three of them get harder once your business runs on WhatsApp + Sage + ChatGPT:
- 01Consent capture on WhatsApp — explicit opt-in for broadcast lists, recorded against the contact with a timestamp.
- 02Audit-logged access to AI tools when they touch customer records.
- 03Data subject request fulfilment when the data is split across WhatsApp threads, Sage line items, and chatbot logs.
That's the work we do. Integration with audit trails baked in. If the checklist made you wince more than once, the AI Process Audit gives you a remote-friendly hour to map the workflow, rank the leaks, and decide what actually needs attention.
···
Where to go from here
···