Do small businesses also have to comply with POPIA?

Do small businesses also have to comply with POPIA?

From a data protection perspective, a small business is an organisation that employs less than 50 people. Those that employ less than 10 are considered micro-enterprises.

However, the need to comply with the Protection of Personal Information Act (POPIA) depends less on the size of the business and more on whether the data processing poses a risk to the data subjects.

Small and micro businesses need to comply with the Protection of Personal Information Act if:

  • the business’s main focus is data processing.
  • they have a high number of data subjects and employees.
  • they process sensitive/special personal information or information about children.
  • their data processing could cause damage or distress to the data subjects.
  • the business needs prior authorisation from the regulator.

Low-risk small businesses

Examples of small businesses that collect little, if any, personal data and pose a low risk to data subjects include:

  • Cafés, coffee-shops, restaurants, pizzerias and take-aways
  • Beauty salons, hairdressers, dry cleaners
  • Gift shops, ice-cream shops
  • B&Bs, including Airbnb’s and guesthouses

If your business is small and falls into the low-risk category you’re unlikely to need to attend POPIA workshops, buy into POPIA software or apply to the regulator for prior authorisation.

Instead, become familiar with the eight principles of POPIA, and when you make adjustments to your business operations and data systems make sure they’re in line with the regulation because not only do the principles optimise data protection, they can also meaningfully transform your business practices.

High-risk small businesses

Examples of small businesses that collect a lot of personal data and pose a high risk to data subjects include:

  • Accounting businesses that do audits on other businesses
  • Teams that conduct medical research, DNA testing or medical diagnoses of individuals
  • Teams that track people’s geolocations and interests online
  • Direct marketing agencies and those who use tracking to gain information
  • Those carrying out credit checks, or processing bond and insurance applications
  • Those that use innovative technology, biometric data, genetic data
  • Those who carry out data matching or invisible processing

What if my business is high risk?

If your business falls into the higher risk, there are immediate actions you can take that won’t cost you a lot of money:

  • Make sure you have safety measures in place to protect personal information you collect or process, e.g. the personal and banking details of your customers.
    These include installing an SSL certificate on your website, using cyber security software with antivirus and anti-malware components.
  • Get specific consent from the data subjects’ whose personal information you collect or process.
  • Don’t keep the personal information for longer than you promised to when gaining consent.
  • Add a privacy policy to your website.
  • Make it easy for your data subjects to contact you with complaints about your data processing or if they want to make a subject access request, e.g. via a form or a contact page on your website.
  • When you send newsletters/mass mailers and other marketing correspondence make sure recipients are able to opt-out or unsubscribe.
  • Keep cyber awareness high amongst your group of colleagues.

With these simple measures small, low-risk businesses can make headway towards compliance.

If you’re unsure about whether your processing poses a risk to your data subjects, check in with a POPIA consultant or take a short survey to see what kind of solution would help you manage your data in a compliant way.

Book time with our compliance expert

Step 1 of 2

  • Sign up for your
    Free Trial

    Please complete the form to sign up for your free trial. For all our other products, please contact us for a consultation.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

The reseller zone is currently out getting a facelift as we look to integrate it with our backup platform, as it stands you can overview your clients on our new backup console. If you don't know what console that is, please reach out to us.

  • Hidden
  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

We are taking all necessary precautions around the COVID-19 situation. Our offices are closed and our team members have each been set up to work remotely in self-isolation at home. As far as possible IronTree will maintain business as usual. All our resources such as server platforms, transactional capacity, telephony and electronic communications, including video meeting facilities, have been configured in the cloud and are 100% operational. Please feel free to contact us if you require our assistance. Stay safe!
One of our team members will be happy to help answer any questions you have!
Just click the chat icon in the right-hand corner.