POPIA Compliance Framework for Workflow Automation
A POPIA framework template for South African businesses that need procedures, owners, and evidence records before automating customer or staff data workflows.

A POPIA framework template for South African businesses that need procedures, owners, and evidence records before automating customer or staff data workflows.

Last updated: 28 May 2026. Five parts. Plain English. Written for businesses that need data handling to survive automation, AI assistance, and staff handover.
Most South African SMBs do not fail POPIA (Protection of Personal Information Act — South Africa's data-privacy law) because they are careless. They fail because the workflow is not written down.
A framework changes that. Not a 90-page consultant pack, but a short operating document that maps every POPIA condition to a procedure, an accountable owner, and an evidence record. When automation moves data faster, the framework shows who controls the data, who reviews exceptions, and what proof exists if something goes wrong.
This is that framework. If you need the quick self-audit version, the POPIA compliance checklist → is one page. If you need the why-it-all-matters version, the POPIA compliance pillar → is the long read.
Every business processing personal information in South Africa needs a POPIA framework. The framework has five parts: a policy document, a condition-by-condition procedures sheet, a RACI matrix (Responsible / Accountable / Consulted / Informed — the standard way to name who owns what task) that names accountable people, an evidence-record schema that says what proof you keep, and an annual review cycle that keeps it all current. The template below covers all five.
A POPIA framework is the bridge between the law (abstract) and your operations (concrete). It is the internal operating manual that produces both your privacy notice (customer-facing) and your PAIA Manual (the public-access document you publish under Section 51 of the PAIA Act).
Without a framework, every POPIA conversation in your business is ad-hoc. With one, it's a one-page lookup. "How do we handle a data subject request?" → page three. "What's our retention period for WhatsApp conversations?" → page six. "Who is responsible for direct-marketing consent?" → RACI matrix, row four.
A framework is not the same as a privacy notice (which faces customers) or a PAIA Manual (the public access document). It's the internal operating manual that produces both.
Each part is a separate document. Together they fit in a single PDF you can show an auditor or hand to a new Information Officer on day one.
The constitutional document. Three pages or less. States the business's commitment to POPIA compliance, the Information Officer's name and registration confirmation, the lawful bases the business relies on for processing (see POPIA Section 11), the data subject rights the business respects, the annual review cycle, and the signature, date, and version number.
Template structure:
POPIA Policy — [Business Name]
>
Version: 1.0 · Effective date: [date] · Review date: [date + 12 months]
>
1. Purpose. This policy sets out how [Business Name] complies with the Protection of Personal Information Act, 4 of 2013. 2. Scope. This policy applies to all employees, contractors, and operators processing personal information on behalf of [Business Name]. 3. Information Officer. [Name], registered with the Information Regulator on [date] via the E-Services Portal, contactable at [email]. 4. Lawful bases. [Business Name] processes personal information on the bases of: (a) consent, (b) contractual necessity, (c) compliance with legal obligation, (d) protection of legitimate interests, where applicable. 5. Data subject rights. [Business Name] respects every right granted under POPIA, including access, correction, deletion, objection to processing, and withdrawal of consent. 6. Procedures. The procedures supporting this policy are set out in the Condition-by-Condition Procedures document. 7. Review. This policy is reviewed annually. Material changes are documented and re-signed.
>
Approved by: [Name, Title] · Signature: ___ · Date: ___
The operational heart of the framework. One page per POPIA condition. Each page answers four questions: what does this condition require, what is our procedure for meeting it, who is responsible, and what evidence do we keep.
Template for one condition (repeat for all eight conditions):
Condition 1 — Accountability
>
Requirement. The business must be accountable for compliance with all eight POPIA conditions, including when third parties process data on its behalf. See POPIA Section 8.
>
Our procedure. 1. Information Officer registered with the Regulator and named in policy. 2. POPIA Policy reviewed annually, signed by the IO. 3. Every third-party processor has a written operator agreement under Section 21. 4. Every breach is logged, assessed, and reported per Condition 7.
>
Accountable. Information Officer.
>
Evidence kept. - Information Officer registration confirmation - Signed POPIA Policy (current version + last two) - Operator agreements file - Breach log
Repeat the structure for Conditions 2 to 8. The full procedure document ends up at 8–12 pages. The POPIA pillar's eight-conditions table → is the operational translation cheat-sheet that helps you fill in each one.
Each task gets one Accountable person, optionally one or more Responsible, Consulted, and Informed. POPIA tasks without an Accountable name are the ones that fail in audits.
Sample rows (the full matrix has 15–25 rows):
| Task | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| Maintain Information Officer registration | Office manager | Information Officer | Legal advisor | Directors |
| Review POPIA policy annually | Information Officer | Director | Legal advisor | Staff |
| Process data subject access requests | Office manager | Information Officer | IT | Director |
| Maintain operator agreements file | Office manager | Information Officer | Procurement | — |
| Notify Regulator of breaches (Section 22) | Information Officer | Director | Legal advisor | Staff |
| Run staff POPIA induction | HR | Director | Information Officer | — |
| Maintain consent records | Marketing | Information Officer | IT | — |
| Run cross-border transfer review | Information Officer | Director | IT | — |
| Respond to Form 2 (correction/deletion) requests within 30 days | Office manager | Information Officer | Legal advisor | Director |
For each procedure, what evidence proves it happened. The schema table below is what an auditor or procurement officer asks to see when they want proof rather than promises.
| Procedure | Evidence type | Where kept | Retention |
|---|---|---|---|
| Information Officer registered | PDF confirmation from Regulator | Evidence folder / IO drive | Indefinite |
| Annual policy review | Signed policy + meeting note | Evidence folder | 7 years |
| Data subject request handled | Request log entry + response copy | DSR register | 3 years |
| Direct-marketing consent | Opt-in form / double opt-in log | CRM record | Until withdrawal + 6 months |
| Operator agreement signed | PDF agreement | Operator file | Duration of relationship + 5 years |
| Breach response | Breach log entry + remediation note | Breach register | 7 years |
| Cross-border review | Annual review note + cross-border register | Evidence folder | 5 years |
| Form 2 (correction/deletion) responded to | DSR log entry with response date | DSR register | 3 years |
Once a year, the framework is reviewed. The review is short — a 90-minute meeting on a Friday afternoon, minuted, filed.
File the minute as evidence for next year's cycle.
The framework is the operational document. Three groups consult it.
You do not need to publish the framework. It's internal. The customer-facing version is your privacy notice, which is short, plain English, and lives on your website. The public-access version is your PAIA Manual.
We've reviewed a lot of these. The mistakes repeat.
For a 5–20 person business, building the framework from scratch takes 8–12 hours, spread over two weeks. Most owner-operators can do this themselves — you don't need a R 25 000 consulting engagement to write a POPIA framework. You need a quiet morning and the discipline to actually do it.
Rough breakdown:
If your business already has the data flows mapped (Step 1 of the pillar's 8-step playbook →), the procedures section goes faster — most of the work is recording what already happens, not designing new processes.
Three places the framework collides with daily operations. These are where most SMBs underspend on the framework and overspend on the remediation later.
WhatsApp Business. Consent capture, retention, and cross-border transfer all become operational questions. The framework's procedures need to spell out: how do we capture explicit consent, how long do we keep conversations, what does our Business Solution Provider do with the data? The WhatsApp companion article → covers the SA Business Solution Provider landscape and the Section 69 direct-marketing rules in detail.
AI tools. Most SA SMBs are running ChatGPT or Claude on a personal account. The framework needs a procedure for what data those tools may and may not see. (Spoiler: customer personal information without anonymisation or an enterprise-tier Data Processing Addendum is a no.) The chatbot companion article → covers the seven vendor questions and the no-training contract clause.
Accounting / CRM. These are usually fine on their own. The risk is in the export — when data flows from Sage into a spreadsheet, into an email attachment, into a marketing tool. The framework needs to govern that flow, not just the front-of-system control.
A framework is paperwork. Implementing it across WhatsApp, AI, and your accounting system is engineering.
We don't sell POPIA consulting. We do build integrations that produce the evidence your framework needs: audit logs, consent records, retention enforcement, DSR fulfilment across systems. The framework's Part 4 (Evidence-Record Schema) is what we wire up.
If you'd rather have the integration deliver the evidence than chase it manually each month, the AI Process Audit is the place to start. We look at your current setup against the framework's evidence schema and tell you which rows can be automated and which still need a human hand.
BOOK A FREE AI PROCESS AUDIT
One free hour, remote or in person. We map one real workflow, show you where the value is leaking, and give you an honest next step. If it is not worth doing, we will tell you, and you keep the map.
01
You send this
A few details about the workflow you want to improve.
02
We reply same business day
With a Calendly link for a 1-hour slot that suits you.
03
1-hour audit
Workflow map, useful questions, and an honest go / no-go.
POPIA-aware handling. No mailing-list add. No auto-reply chain.