POPIA-compliant bookkeeping: what it actually means

The Protection of Personal Information Act (POPIA) is the South African data-protection law. It came into effect 1 July 2020 with a 12-month grace period, so full enforcement has been live since 1 July 2021. The Information Regulator has been enforcing it actively since then, with several fines published.

Most small-business owners I've spoken to fall into one of two camps. The first thinks POPIA is "for the banks", and that 5-person consultancies don't need to worry. The second is broadly aware that POPIA matters but has no idea what to actually do about it. Both camps are wrong, but in different ways.

This article explains what POPIA actually requires of a small bookkeeping operation (your own, or one you outsource), what counts as personal information, and a checklist that gets you to broadly compliant without expensive legal work.

A note on scope: this is general guidance. POPIA-related sanctions can be material, including fines up to R10 million and reputational damage. Before treating any specific situation as compliant, talk to a qualified attorney or compliance practitioner.

Who POPIA applies to

POPIA applies to anyone who processes personal information in South Africa, with very narrow exceptions for purely household activities. "Process" includes collecting, storing, using, distributing, deleting. "Personal information" includes:

• Identity numbers, names, contact details, email addresses
• Financial information (bank accounts, payment records)
• Employment history
• Photos
• Anything that can identify a living natural person, directly or indirectly
• Information about juristic persons (companies) is also covered, in some respects

If you keep a client list with names and email addresses, you process personal information. If you store receipts that contain employee names or merchant contact info, you process personal information. There's no minimum-size threshold. The rules apply to everyone; the practical compliance burden scales with how much sensitive data you handle.

The 8 conditions

POPIA sets out 8 conditions for lawful processing. The full list is in section 4 of the Act, and the eighth is technically broken into multiple pieces, so different summaries count it differently. The ones that matter most for a bookkeeping operation:

1. Accountability

The "responsible party" (the business processing the data) is accountable for compliance. This means a named person, internally, owns POPIA. For a small business, that is usually the founder. POPIA also requires you to designate an Information Officer (which, by default, is the head of the business). For larger setups, you can register a separate Information Officer with the Information Regulator. Registration is online and free.

2. Processing limitation

Process only what is necessary, with consent or other lawful basis, and in a way that does not unnecessarily intrude on privacy. For bookkeeping, the lawful basis is usually one of:

• Consent from the data subject
• Contract (you need the data to perform a contract with them)
• Legal obligation (you must keep tax records for SARS)

Most bookkeeping data sits comfortably under "contract" or "legal obligation". You don't need to ask a client's permission to keep their invoice for SARS; the law requires you to.

3. Purpose specification

State the purpose for which you are collecting the data, and don't drift beyond that purpose. If you collected a client's email to send invoices, you don't get to add it to your monthly newsletter without separate consent.

4. Further processing limitation

If you want to use the data for a new purpose beyond the original, you need a fresh basis (typically fresh consent). Practical example: receipt OCR text goes into your bookkeeping. Using the same data to "improve our AI" is a new purpose and needs a new basis.

5. Information quality

The data has to be accurate, complete, and up to date. If a client tells you their VAT number changed, you have to update it. If a receipt was OCRed wrong, you have to fix it.

6. Openness

You have to tell the data subject what you're collecting, why, where it's going, who you share it with, and how long you'll keep it. The standard mechanism is a privacy policy. Snap-a-Slip's is at /privacy; yours should be similar in shape.

The privacy policy needs to cover:

• Who you are
• What data you collect
• Why
• Who you share it with (sub-processors)
• How long you keep it
• The rights people have (see condition 8)
• How to contact you about data

7. Security safeguards

You must implement "appropriate, reasonable technical and organisational measures" against loss, damage, and unauthorised access. Translation:

• Encrypted data in transit (TLS, basically free now)
• Encrypted at rest where practical (full-disk encryption on laptops, encrypted backups)
• Strong passwords, ideally a password manager
• Access controls (only people who need the data can see it)
• Backups
• A plan for what to do when a breach happens

You don't need ISO 27001 to be compliant. You do need to be able to articulate the controls you have in place and why they're "reasonable" given the sensitivity of the data.

8. Data subject participation

This is the big one for visible compliance. POPIA gives every data subject specific rights:

• Access (s23): they can ask what data you hold about them, and you must respond within a reasonable time (typically 30 days).
• Correction (s24): they can ask you to correct or update the data.
• Deletion (s24): they can ask you to delete it, subject to overriding legal obligations (you can't delete the SARS-required records during the 5-year retention window).
• Objection: they can object to processing for direct marketing, and you must stop.
• Complaint: they can complain to the Information Regulator (free) and the Regulator can investigate.

Practically, this means you need a process for handling these requests, and an email address that gets monitored. The mechanism doesn't have to be fancy. It does have to work.

What this means for your records

Translating the conditions to a small-business bookkeeping setup:

• Your client list is personal information. Keep it secure, don't share it without basis, give clients a way to update or delete their entry.
• Your receipts contain personal information (merchant contact details, sometimes ID numbers, sometimes employee names). Store them somewhere encrypted, not in a public folder.
• Your bookkeeper or accountant is a "sub-processor" under POPIA. You need a written agreement with them covering data protection, in line with section 21 of the Act. Their professional body usually has a template.
• Your accounting software vendor (Xero, Sage, QuickBooks, Snap-a-Slip) is also a sub-processor. Check their privacy policy to confirm they have appropriate safeguards.
• Cross-border transfers (your data living on a server in the US or the UK) are allowed but need an adequate basis, usually a contractual one. Most major SaaS providers have this baked into their standard terms.

Practical checklist

Run this checklist quarterly:

1. Privacy policy is current and reflects what you actually do. Updated when you add a new tool or change a process.
2. Information Officer is named (probably you), with contact details on the privacy policy.
3. Sub-processor list is current. New vendor added means a fresh look at their privacy practice and a written agreement.
4. Access request process exists. Email address monitored. SLA of 30 days agreed.
5. Deletion workflow exists. You can find and remove a specific person's data within a few hours of a request, except for records you must legally retain.
6. Security basics are in place: full-disk encryption, password manager, two-factor on email and accounting software, backups.
7. Breach response plan, even a simple one. Who do you call, what do you do in the first 24 hours, how do you notify the Regulator and affected people?
8. Data minimisation review: at least once a year, look at what you collect and ask "do we actually need this?". Stuff you don't need shouldn't be collected; stuff you collected and no longer need should be deleted.

The whole list, on a normal small business, is achievable in a long afternoon.

Where SARS rules and POPIA rules collide

The most common confusion in bookkeeping is the apparent conflict between POPIA's "delete on request" and SARS's "keep records for 5 years".

The resolution is in section 14 of POPIA: data must not be retained longer than is necessary, subject to other laws requiring retention. The Income Tax Act and Tax Administration Act require retention for at least five years (sometimes more) from the date of the relevant return. POPIA explicitly defers to that.

Practical implication: you can't delete a client's records mid-tax-year just because they asked. You can delete the parts not subject to retention (their newsletter subscription, their CRM notes, their non-tax communications), but the actual tax-relevant records stay until the retention window ends.

You should be transparent about this in your privacy policy. Snap-a-Slip's policy spells it out: receipts are kept for the active period plus 7 years for SARS audit support, and only after that are they deleted.

How Snap-a-Slip handles POPIA

We're a SA-registered company processing SA data, so the same rules apply to us. Our setup:

• Information Officer at hello@snap-a-slip.com
• Data residency in af-south-1 (Cape Town)
• Sub-processors (OpenAI, Google Cloud Vision, Cloudflare R2, Meta WhatsApp, PayFast, Vercel) listed in the privacy policy with the role each plays
• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Retention windows documented and enforced (active accounts plus 7 years for SARS support, 5 years for payment metadata, 90 days for logs)
• Right of access: type "export everything" in WhatsApp; we respond within 7 days
• Right of correction: instant via WhatsApp ("merchant ...", "amount ...")
• Right of deletion: type "delete account"; we confirm and remove within 7 days

The full policy is at /privacy, updated whenever practice changes.

Closing

POPIA is not a tick-box exercise. It's a set of habits about handling other people's data with reasonable care. The reason it exists is that South Africans had no statutory protection against careless or malicious handling of their data until 2021, and now they do. Treating it as paperwork misses the point; treating it as a discipline gets you to compliance and trust at the same time.

If you want a tool that handles the bookkeeping side with POPIA already baked in, start on WhatsApp or read the privacy policy first. The next blog in this series is Xero vs Sage vs QuickBooks for SA if you're choosing accounting software.