Owasp Top 10 South Africa

South African organisations face a compliance landscape that is simultaneously more complex and more consequential than most jurisdictions acknowledge. The Protection of Personal Information Act (POPIA) came into full effect in July 2021, but many businesses still lack the systematic controls required to demonstrate ongoing compliance to the Information Regulator.

Understanding POPIA's eight conditions

POPIA is structured around eight conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Each condition creates distinct technical and governance obligations. A gap in any one of them is sufficient grounds for a compliance notice or, in serious cases, criminal referral.

Organisations must designate an Information Officer registered with the Information Regulator, maintain a personal information impact assessment register, and ensure that all third-party operators processing data on their behalf are bound by written contracts that impose equivalent obligations. These are not optional frameworks -- they are legal requirements with enforcement teeth.

Where organisations typically fall short

Based on common audit patterns, the most frequent gaps are: inadequate data retention schedules (data held indefinitely with no destruction policy), insufficient consent mechanisms for secondary processing purposes, missing or inadequate data breach notification procedures, and third-party operator agreements that pre-date POPIA without being updated. Cross-border transfer controls -- particularly for organisations using international SaaS vendors -- are also frequently missing.

A practical compliance checklist for 2026

The following checklist covers the minimum viable compliance posture for a South African organisation processing personal information:

• Information Officer appointed and registered with the Information Regulator
• PAIA Manual updated to reflect POPIA obligations
• Personal Information Impact Assessment (PIIA) conducted and documented
• Data retention and destruction policy in place and enforced
• Consent mechanisms reviewed for all processing activities
• Operator contracts reviewed and updated with POPIA schedules
• Data breach response procedure documented and tested
• Cross-border transfer agreements in place for international processors
• Staff awareness training completed and recorded
• Subject access request (SAR) response process documented