What small businesses need to know about POPIA

POPIA, things that small businesses need to action

What small businesses need to know about POPIA

Assess your risk for POPIA

Just because the business is small does not mean that it is low risk from a POPIA perspective. Some products or services are inherently invasive (e.g. lead generation, profiling and unsolicited direct marketing). They are high risk because their clients will force them to be POPIA compliant. If they are not, the consequences could be severe.

Adopt a POPIA policy

It is important to document who your information officer is, that will adhere to the principles of POPIA (and that you know what they are) and that will assess the business from time to time.

POPIA Information officer

There probably won’t be a team of people looking after POPIA compliance in small businesses – it will just be the information officer and a second. Small businesses should make sure that their information officer is aware that they are actually the information officer and what it means. While it may be impractical to make your CEO (who is your Information Officer) a POPIA expert, they should certainly know who to call when a data protection issue crops up.

Train the employees

At a small business, every employee is a line of defence. So make sure that they can spot non-compliance and know when it is serious.

Review of forms and proposals

Review the forms that you use to collect personal information and make sure that you are using all of that information. If you are not, stop collecting it. People need to know which information can be collected and what you can do with it and which information cannot be collected

Information security

Data breaches are a significant risk to small businesses. They are a particularly attractive target because many do not have the resources to manage information security.

Small businesses should take the following practical steps:

  • back up your data
  • use strong passwords (click here to see how to secure your data)
  • take care when working remotely
  • be wary of suspicious emails
  • install anti-virus and malware protection (click here for information on cyber threats)
  • do not leave paperwork or laptops unattended
  • make sure your Wi-Fi is secure
  • lock your screen when you are away from your desk
  • keep on top of who has access to what
  • do not keep data for longer than you need it
  • dispose of old computer equipment and records securely
  • get a shredder.

Click here for the act on the government website.