{"id":69140,"date":"2021-07-16T17:32:34","date_gmt":"2021-07-16T15:32:34","guid":{"rendered":"https:\/\/www.sage.com\/en-za\/blog\/?p=69140"},"modified":"2026-01-29T15:32:19","modified_gmt":"2026-01-29T13:32:19","slug":"popia-compliance-what-accountants-need-to-know","status":"publish","type":"post","link":"https:\/\/www.sage.com\/en-za\/blog\/popia-compliance-what-accountants-need-to-know\/","title":{"rendered":"POPIA compliance: What accountants need to know"},"content":{"rendered":"
\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\tCompliance<\/a>\t\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t
\n\t\t\t\t\t

\n\t\t\t\t\t\tPOPIA compliance: What accountants need to know\t\t\t\t\t<\/h1>\n\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n\t

\n\t\t
\n\t\t\t
\n\t\t\t
\n\t\t\t\n\t\t
\n\t\t\t\n\t\t\t\t\"\"\t\t\t\tMongezi Lupindo<\/span>\n\t\t\t<\/a>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t<\/div>\n\t\t<\/div>\n\n\n\n

News about the Protection of Personal Information Act<\/a> (POPIA) has dominated headlines and flooded our inboxes in recent weeks. That\u2019s because, as of 1 July 2021, any individual or entity has to be POPIA compliant. The legislation, passed by the South African Parliament, outlines what individuals and businesses that process or record personal information must do in order to safeguard this data.<\/p>\n\n\n\n

This means reviewing all the operational processes running within your organisation that touch personal information of employees, customers, and suppliers.<\/p>\n\n\n\n

So, what do accountants need to know about POPIA?<\/h2>\n\n\n\n

POPIA has a big impact on any business working in financial services.<\/p>\n\n\n\n

Accountants process a great deal of personal information around the financial history of their clients and their businesses. While ensuring the integrity and confidentiality of this information has always been best industry practice, POPIA makes it a legal obligation.<\/p>\n\n\n\n

For accountants and accounting firms, POPIA demands that the way they interact with customers and clients must adhere to the requisite privacy laws. In addition, how accountants collect, store, or process employee information must also align with the protections set out by POPIA.<\/p>\n\n\n\n

Below, we unpack four steps accountants can take in order to start their journey to POPIA compliance.<\/p>\n\n\n\n

1.    Raise awareness<\/h2>\n\n\n\n

When it comes to POPIA, knowledge is critical. Education and awareness must be a top priority because people play a major role in making sure that any organisation remains POPIA compliant.<\/p>\n\n\n\n

All employees need to understand basic POPIA privacy principles, what is required of them, and how to apply these to the work they do. Effective compliance demands that you secure buy-in from everyone \u2013 be it senior management or the most junior staff member.<\/p>\n\n\n\n

This kind of security and privacy awareness training not only reduces the risk of costly errors in handling sensitive information but also protects the company\u2019s confidential data and information systems. Training and privacy\/security awareness workshops must happen regularly to guarantee that the responsible handling and safeguarding of personal information is always top of mind.<\/p>\n\n\n\n

At Sage, we have developed a POPIA internal training programme for employees and partners. We\u2019ve also created a Privacy Hub<\/a> containing our updated POPIA Privacy Policy, Cookies Policy, and PAIA Manual, and have joined the Michalsons Compliance Programme for Data Protection.<\/p>\n\n\n\n

2.    Develop a compliance plan<\/h2>\n\n\n\n

Depending on the size, scope, and function of your business, you\u2019ll either need to appoint a dedicated POPIA compliance\/information officer or a compliance team. In most instances, a compliance officer \u2013 typically the CEO, unless the role has been delegated to someone else \u2013 will suffice.<\/p>\n\n\n\n

This individual is responsible for developing and implementing a compliance framework, ensuring that POPIA awareness workshops are set up and attended, and conducting regular assessments to flag risks and identify what safeguards are needed to protect any personal information being processed.<\/p>\n\n\n\n

In order to develop a compliance framework, it\u2019s essential to audit each business unit to determine what information is collected, how it\u2019s collected, who collects it, what it\u2019s used for, and how it\u2019s stored and processed.<\/p>\n\n\n\n

Beyond this, accountants need to assess how information is retained and destroyed and, importantly, whether the information was collected with the necessary consent. These audits will highlight any gaps that exist and, from this, you will be able to compile a risk assessment report. When developing this plan, ensure that your policies are reasonable, appropriate, and enforceable and that they are designed for diverse groups of stakeholders.<\/p>\n\n\n\n

3.    Implement your strategy<\/h2>\n\n\n\n

Once the right compliance policies and procedures have been established, these need to be implemented, monitored, and maintained \u2013 regularly.<\/p>\n\n\n\n

A gap analysis will reveal how employee contracts and supplier agreements must be updated and what changes need to be made to your marketing practices. Any gaps you identify will determine what policies need to be put in place around personal information sharing and the use of personal devices at work, for example. If you\u2019re using any business or financial management software, you\u2019ll need to check with the supplier to find out if the solution adheres to POPIA security requirements.<\/p>\n\n\n\n

Any plan you\u2019ve put together is only effective if it is properly implemented. In some cases, this may require that you enlist the help of an outside service provider, such as a law firm, to help your business put the proper measures and controls in place.<\/p>\n\n\n\n

4.    Review<\/h2>\n\n\n\n

Even with all of these new privacy policies in place, your work isn\u2019t over yet. In fact, continued POPIA compliance requires ongoing monitoring of the data protection ecosystem and demands that you keep up to date with any changes to legislation, new regulations, and the latest security threats.<\/p>\n\n\n\n

Remember that more data means more risk. Under POPIA, businesses cannot keep records of personal information once the reason for which the information was collected no longer exists; that is, unless storing the data is required by law. As such, accountants shouldn\u2019t keep the personal information of former suppliers once the business relationship has ended. As part of the review process, businesses must check if they are holding onto any financial records that they no longer need.<\/p>\n\n\n\n

POPIA demands consistency and transparency. If you\u2019re processing, sharing, or storing someone\u2019s personal information, you need to let him or her know why. With this in mind, it\u2019s imperative to regularly review why you are processing, saving, or sharing any personal information and verify that these reasons are still valid. This also applies to information received from a third party.<\/p>\n\n\n\n

POPIA compliance must become \u201cbusiness-as-usual\u201d and should be built into any product, service, and process going forward. Think of compliance as privacy by design. That being said, complying with POPIA is not a case of one size fits all. Different organisations must take different actions to comply. Failure to comply has serious implications, from fines and imprisonment to reputational damage and a loss of client trust.<\/p>\n\n\n\n

Need help getting started on your POPIA compliance journey? Visit our dedicated Sage Legal Information website<\/a>,<\/p>\n\n\n\n

Disclaimer:<\/h3>\n\n\n\n