Yes. POPIA applies to virtually every business in South Africa that processes personal information, and that includes sole proprietors, partnerships, small companies, non-profits, churches, schools, and body corporates. There is no small-business exemption, no minimum turnover, and no minimum headcount. If you keep customer contact details, staff records, or supplier information, you are a responsible party under the Act and the compliance duties are yours. The exclusions that do exist are narrow and almost never help a business. Here is who must comply, and the few cases where POPIA genuinely does not apply.
If you are new to the Act itself, start with our complete guide to POPIA.
Who Must Comply
POPIA puts its duties on the responsible party: whoever decides why and how personal information is processed. For a business, that is the business itself, whatever its legal form:
- Sole proprietors and freelancers - trading in your own name does not exempt you. A one-person consultancy with a client list is a responsible party.
- Companies of every size - from a two-person startup to a listed group.
- Non-profits, churches, schools, and clubs - member registers, donor lists, and learner records are all personal information.
- Foreign businesses processing in South Africa - POPIA applies to a responsible party domiciled here, and to one domiciled elsewhere that uses means in South Africa to process (unless only forwarding information through the country).
If someone else processes information on your behalf (a payroll bureau, a hosting provider), they are an operator and carry their own duties, but the accountability for the processing stays with you.
It Also Protects Information About Companies
A detail that surprises most business owners: POPIA defines personal information as information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person. In plain terms, information about companies, close corporations, and trusts is protected too. If your customers are businesses rather than individuals, that B2B contact database is still personal information under the Act. This is broader than most privacy laws elsewhere, so guidance written for the GDPR will mislead you on this point.
The Exclusions, and Why They Rarely Help a Business
Section 6 of POPIA excludes a short list of processing from the Act entirely:
- Purely personal or household activity - your family WhatsApp group and personal phone contacts. The moment the same information is used for business, this exclusion falls away.
- De-identified information - but only where it cannot be re-identified again. Merely removing names from a spreadsheet usually does not meet that bar.
- Certain state functions - processing by or for a public body involving national security, defence, public safety, or the investigation and prosecution of offences, to the extent other legislation provides adequate safeguards.
- Cabinet and provincial Executive Councils, and the judicial functions of courts.
Section 7 adds an exclusion for processing done solely for journalistic, literary or artistic expression, balancing privacy against freedom of expression.
Read that list again from a business owner's chair: none of it covers invoicing customers, marketing to prospects, running payroll, or keeping a delivery address book. For ordinary commercial processing, there is no exit. The realistic question is never whether POPIA applies to your business; it is how far along your compliance actually is.
What Complying Actually Means
Being subject to POPIA does not require a compliance department. For a small business it comes down to a concrete, finite set of tasks: appoint and register your Information Officer, publish a privacy policy, compile a PAIA manual, keep consent records where you rely on consent, handle data subject requests within 30 days, have a breach plan, and put written agreements in place with your operators. We walk through each one in our POPIA compliance checklist for small businesses.
Frequently Asked Questions
I am a sole proprietor with a handful of clients. Does POPIA really apply to me?
Yes. The Act attaches to the processing of personal information, not to the size or form of the business doing it. A freelancer's client list, invoices, and email history are personal information being processed for business purposes.
All my customers are companies, not people. Am I off the hook?
No. POPIA expressly protects information about identifiable, existing juristic persons, so records about your business customers are personal information too.
We are a non-profit. Do the same rules apply?
Yes. Donor lists, member registers, and beneficiary records are personal information, and a non-profit that decides how they are used is a responsible party like any company.
Where to Start
Since the Act almost certainly applies to you, the useful next step is knowing where you stand. The free POPIA assessment takes about five minutes and shows you which duties you already meet and which need work.
This is general information, not legal advice. For your specific situation, consult an attorney.