A plain-English checklist for South African founders. What POPIA actually requires from your website, forms, and databases — without the legal jargon.
If you run a business in South Africa and collect any personal information — a contact form, a newsletter signup, a user account — POPIA applies to you. It's been fully enforced since July 2021, yet a surprising number of startup websites still ship without a single one of the basics in place.
This isn't a legal guide. It's an engineer's checklist of the things we put into every client site so they're defensible if someone ever complains.
What POPIA actually is
POPIA — the Protection of Personal Information Act — is South Africa's equivalent of the EU's GDPR. It governs how you collect, store, use, and share personal information of any living person or identifiable business. The Information Regulator can fine you up to R10 million or refer criminal charges for serious breaches.
The good news: if you handle it at the product level from day one, compliance is mostly a one-time setup with small ongoing hygiene.
The startup checklist
1. A real privacy policy on your website
Not a template you copied from a US SaaS. Your policy needs to name you (the responsible party), explain what information you collect, why you collect it, how long you keep it, who you share it with, and how a user can request, correct, or delete their data.
Link it in your footer, and also link it directly below every form that captures personal data.
2. Explicit consent on forms
A checkbox — unticked by default — that says something like: "I agree to Articsoft processing my information in line with the privacy policy." Pre-ticked boxes don't count as consent under POPIA.
If you're collecting for marketing (newsletter, promotional emails), the consent must be separate from the consent to contact them about the enquiry itself.
3. Minimise what you collect
POPIA's principle of minimality says you may only collect information that's necessary for the stated purpose. A contact form does not need date of birth. A newsletter does not need a phone number. Every unnecessary field is a liability with no upside.
4. Secure your data in transit and at rest
- HTTPS on every page (no excuse in 2026 — Let's Encrypt is free).
- Database encryption at rest on your hosting provider.
- Hashed passwords (bcrypt/argon2 — never plain text, never MD5).
- Restrict database access by IP or VPN where possible.
- Rotate credentials and API tokens; never commit them to git.
5. Have a data breach response plan
If you suffer a breach you must notify the Information Regulator and affected users "as soon as reasonably possible." Write down now, while things are calm, who does what: who investigates, who drafts the notice, who informs users, and who talks to the Regulator.
6. Appoint an Information Officer
By default this is the head of your business. You're supposed to register them with the Information Regulator (it's free, online, takes ten minutes). Most small startups skip this step and regret it later — do it now.
7. Handle third parties properly
Every SaaS you send user data to — Mailchimp, Stripe, HubSpot, your analytics tool — counts as an "operator" under POPIA. You need a written agreement with each (their standard DPA is usually fine) and you need to disclose them in your privacy policy.
What we actually implement on client sites
For every Articsoft build, the baseline is: HTTPS, hashed credentials, an unticked consent checkbox on every form, a proper privacy policy page with a last-updated date, a cookie banner if we're running analytics, and a documented retention policy for form submissions (we usually delete after 24 months unless the client opts in to longer).
That's maybe two days of engineering work at the start of a project. Doing it later — after you have users — costs ten times more and always happens in a panic.
Bottom line
POPIA is not a reason to avoid collecting data. It's a reason to collect less of it, store it better, and be honest with your users about what you're doing.
If you're launching a product in SA this year and you're not sure where you stand, a two-hour audit will catch 90% of the gaps. We do these for clients — it's the cheapest insurance policy in the business.
