POPIA compliance: What accountants need to know

News about the Protection of Personal Information Act (POPIA) has dominated headlines and flooded our inboxes in recent weeks. That’s because, as of 1 July 2021, any individual or entity has to be POPIA compliant. The legislation, passed by the South African Parliament, outlines what individuals and businesses that process or record personal information must do in order to safeguard this data.

This means reviewing all the operational processes running within your organisation that touch personal information of employees, customers, and suppliers.

So, what do accountants need to know about POPIA?

POPIA has a big impact on any business working in financial services.

Accountants process a great deal of personal information around the financial history of their clients and their businesses. While ensuring the integrity and confidentiality of this information has always been best industry practice, POPIA makes it a legal obligation.

For accountants and accounting firms, POPIA demands that the way they interact with customers and clients must adhere to the requisite privacy laws. In addition, how accountants collect, store, or process employee information must also align with the protections set out by POPIA.

Below, we unpack four steps accountants can take in order to start their journey to POPIA compliance.

1.    Raise awareness

When it comes to POPIA, knowledge is critical. Education and awareness must be a top priority because people play a major role in making sure that any organisation remains POPIA compliant.

All employees need to understand basic POPIA privacy principles, what is required of them, and how to apply these to the work they do. Effective compliance demands that you secure buy-in from everyone – be it senior management or the most junior staff member.

This kind of security and privacy awareness training not only reduces the risk of costly errors in handling sensitive information but also protects the company’s confidential data and information systems. Training and privacy/security awareness workshops must happen regularly to guarantee that the responsible handling and safeguarding of personal information is always top of mind.

At Sage, we have developed a POPIA internal training programme for employees and partners. We’ve also created a Privacy Hub containing our updated POPIA Privacy Policy, Cookies Policy, and PAIA Manual, and have joined the Michalsons Compliance Programme for Data Protection.

2.    Develop a compliance plan

Depending on the size, scope, and function of your business, you’ll either need to appoint a dedicated POPIA compliance/information officer or a compliance team. In most instances, a compliance officer – typically the CEO, unless the role has been delegated to someone else – will suffice.

This individual is responsible for developing and implementing a compliance framework, ensuring that POPIA awareness workshops are set up and attended, and conducting regular assessments to flag risks and identify what safeguards are needed to protect any personal information being processed.

In order to develop a compliance framework, it’s essential to audit each business unit to determine what information is collected, how it’s collected, who collects it, what it’s used for, and how it’s stored and processed.

Beyond this, accountants need to assess how information is retained and destroyed and, importantly, whether the information was collected with the necessary consent. These audits will highlight any gaps that exist and, from this, you will be able to compile a risk assessment report. When developing this plan, ensure that your policies are reasonable, appropriate, and enforceable and that they are designed for diverse groups of stakeholders.

3.    Implement your strategy

Once the right compliance policies and procedures have been established, these need to be implemented, monitored, and maintained – regularly.

A gap analysis will reveal how employee contracts and supplier agreements must be updated and what changes need to be made to your marketing practices. Any gaps you identify will determine what policies need to be put in place around personal information sharing and the use of personal devices at work, for example. If you’re using any business or financial management software, you’ll need to check with the supplier to find out if the solution adheres to POPIA security requirements.

Any plan you’ve put together is only effective if it is properly implemented. In some cases, this may require that you enlist the help of an outside service provider, such as a law firm, to help your business put the proper measures and controls in place.

4.    Review

Even with all of these new privacy policies in place, your work isn’t over yet. In fact, continued POPIA compliance requires ongoing monitoring of the data protection ecosystem and demands that you keep up to date with any changes to legislation, new regulations, and the latest security threats.

Remember that more data means more risk. Under POPIA, businesses cannot keep records of personal information once the reason for which the information was collected no longer exists; that is, unless storing the data is required by law. As such, accountants shouldn’t keep the personal information of former suppliers once the business relationship has ended. As part of the review process, businesses must check if they are holding onto any financial records that they no longer need.

POPIA demands consistency and transparency. If you’re processing, sharing, or storing someone’s personal information, you need to let him or her know why. With this in mind, it’s imperative to regularly review why you are processing, saving, or sharing any personal information and verify that these reasons are still valid. This also applies to information received from a third party.

POPIA compliance must become “business-as-usual” and should be built into any product, service, and process going forward. Think of compliance as privacy by design. That being said, complying with POPIA is not a case of one size fits all. Different organisations must take different actions to comply. Failure to comply has serious implications, from fines and imprisonment to reputational damage and a loss of client trust.

Need help getting started on your POPIA compliance journey? Visit our dedicated Sage Legal Information website,


Sage POPIA legal disclaimer

  • The information contained on this document/website/publication is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
  • We would like to stress that there is no substitute for conducting your own detailed investigations or seeking their own professional advice if they are unsure of the implications of POPIA on their businesses.
  • Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise, from the use of or reliance on this information or from any action or decisions taken as a result of using this information.