Do small businesses also have to comply with POPIA?

From a data protection perspective, a small business is an organisation that employs less than 50 people. Those that employ less than 10 are considered micro-enterprises.

However, the need to comply with the Protection of Personal Information Act (POPIA) depends less on the size of the business and more on whether the data processing poses a risk to the data subjects.

Small and micro businesses need to comply with the Protection of Personal Information Act if:

• the business’s main focus is data processing.
• they have a high number of data subjects and employees.
• they process sensitive/special personal information or information about children.
• their data processing could cause damage or distress to the data subjects.
• the business needs prior authorisation from the regulator.

Low-risk small businesses

Examples of small businesses that collect little, if any, personal data and pose a low risk to data subjects include:

• Cafés, coffee-shops, restaurants, pizzerias and take-aways
• Beauty salons, hairdressers, dry cleaners
• Gift shops, ice-cream shops
• B&Bs, including Airbnb’s and guesthouses

If your business is small and falls into the low-risk category you’re unlikely to need to attend POPIA workshops, buy into POPIA software or apply to the regulator for prior authorisation.

Instead, become familiar with the eight principles of POPIA, and when you make adjustments to your business operations and data systems make sure they’re in line with the regulation because not only do the principles optimise data protection, they can also meaningfully transform your business practices.

High-risk small businesses

Examples of small businesses that collect a lot of personal data and pose a high risk to data subjects include:

• Accounting businesses that do audits on other businesses
• Teams that conduct medical research, DNA testing or medical diagnoses of individuals
• Teams that track people’s geolocations and interests online
• Direct marketing agencies and those who use tracking to gain information
• Those carrying out credit checks, or processing bond and insurance applications
• Those that use innovative technology, biometric data, genetic data
• Those who carry out data matching or invisible processing

What if my business is high risk?

If your business falls into the higher risk, there are immediate actions you can take that won’t cost you a lot of money:

• Make sure you have safety measures in place to protect personal information you collect or process, e.g. the personal and banking details of your customers.
  These include installing an SSL certificate on your website, using cyber security software with antivirus and anti-malware components.
• Get specific consent from the data subjects’ whose personal information you collect or process.
• Don’t keep the personal information for longer than you promised to when gaining consent.
• Add a privacy policy to your website.
• Make it easy for your data subjects to contact you with complaints about your data processing or if they want to make a subject access request, e.g. via a form or a contact page on your website.
• When you send newsletters/mass mailers and other marketing correspondence make sure recipients are able to opt-out or unsubscribe.
• Keep cyber awareness high amongst your group of colleagues.

With these simple measures small, low-risk businesses can make headway towards compliance.

If you’re unsure about whether your processing poses a risk to your data subjects, check in with a POPIA consultant or take a short survey to see what kind of solution would help you manage your data in a compliant way.