Most South African businesses have taken some steps toward POPIA compliance. A privacy policy was updated. A cookie banner was added to the website. Someone was designated Information Officer. The box was ticked.
What most of these businesses have not done is look at their IT systems — where personal data actually lives, how it moves, who can access it, and whether the technical safeguards required by POPIA Section 19 are genuinely in place.
The gap between a compliance document and a compliant IT environment is where the real risk lives. The Information Regulator has made clear that enforcement is not about intentions — it is about evidence. If a breach occurs and you cannot demonstrate that reasonable technical safeguards were in place, the documentation you filed means very little.
These are the six IT compliance gaps we encounter most consistently when working with South African businesses across mining, construction, healthcare, eCommerce, and professional services. For a broader understanding of POPIA's technical requirements, our guide on POPIA compliance and your IT systems covers all eight conditions in detail.
Gap 1: No Role-Based Access Control on Systems Containing Personal Data#
This is the single most common and highest-risk gap across every industry we work in. Personal data — customer records, employee files, patient information, financial data — is accessible to anyone who has a login to the system. There is no control over who can see what based on their role or function.
POPIA Condition 7 requires that personal information is protected against unauthorised access. The Information Regulator's guidance is explicit: access to personal information must be limited to those who need it for their specific function.
In practice, this means implementing role-based access control (RBAC) on every system that holds personal data. A customer service agent should not have access to payroll records. A junior finance clerk should not have access to full customer financial histories. A field technician should not have access to HR files.
The gap is almost always not deliberate — it is a default. Systems are set up with broad access permissions because it is easier, and nobody ever revisited those permissions as the business grew and roles became more specialised.
What closing it requires: An audit of every system holding personal data, a review of who has access to what, and the implementation of role-based permissions that restrict access to what each role genuinely needs. This is not a one-time exercise — it requires quarterly review as staff join, leave, and change roles.
Gap 2: Unpatched and Unsupported Systems Running Personal Data#
If your business runs on a platform that is no longer supported by its vendor, that platform is not receiving security patches. Every known vulnerability in that system is permanently open. That is not a theoretical risk — it is an active attack surface.
POPIA Section 19 requires that personal information is protected by appropriate technical safeguards. Running personal data through an unpatched, unsupported system is incompatible with that requirement. If a breach occurs on an unsupported platform, demonstrating that you took reasonable precautions becomes very difficult.
This gap is widespread in the SA mid-market. Older versions of Sage, Pastel, and various custom-built systems from the early 2000s are still running in businesses that have never had the budget or appetite to replace them. The compliance risk has crept up on those businesses as POPIA enforcement has matured.
What closing it requires: An inventory of every system in your environment and its current support status. Systems past end-of-life that hold personal data need a modernisation plan with a defined timeline. This is one of the strongest practical reasons for legacy modernisation — not just operational efficiency, but compliance risk reduction.
Gap 3: Personal Data Transmitted Without Encryption#
Data moving between your systems — or between your systems and third parties — over unencrypted connections is data that can be intercepted. Customer records sent via unencrypted email. Database connections between internal systems that do not use TLS. File transfers that rely on FTP rather than SFTP. These are not edge cases. They are common in businesses that have grown over time and added systems without enforcing security standards consistently.
POPIA's security safeguard requirement covers data both at rest and in transit. Most businesses have heard of database encryption and understand it at a conceptual level. Fewer have actually verified that every data-in-transit channel in their environment is encrypted end to end.
What closing it requires: A network audit that maps every data flow involving personal information and confirms that TLS or equivalent encryption is in place on each connection. Particular attention should be paid to legacy system integrations, email-based data sharing, and any data that leaves the corporate network to reach third parties.
Gap 4: No Documented Data Processing Agreement with Third Parties#
Almost every South African business shares personal data with external parties. Payroll is processed by a bureau. Marketing emails are sent through a platform. IT support is provided by an external firm that has access to your systems. Customer data flows into a cloud-based CRM.
POPIA defines these arrangements clearly: when you share personal data with a third party that processes it on your behalf, that third party is an operator. You are required to have a written agreement in place that binds the operator to the same data protection standards your business is subject to. That agreement must specify what data is shared, the purpose, the security requirements, what happens in the event of a breach, and what happens to the data when the relationship ends.
Most businesses have none of these agreements in place. The relationships exist. The data flows. The agreements do not.
What closing it requires: A mapping of every third party that receives or processes personal data on your behalf. For each one, a data processing agreement needs to be drafted and signed. These are not complex legal documents — they are practical operational agreements — but they need to exist before a breach occurs, not after.
Gap 5: No Cloud Data Sovereignty and Compliance Verification#
South African businesses have moved significant amounts of data and workloads to cloud platforms over the past five years. AWS, Azure, Google Cloud, and dozens of SaaS platforms now hold personal data that was previously stored in on-premise systems.
POPIA places specific obligations on where and how personal information is stored when it is transferred outside South Africa. The general rule is that personal information may only be transferred to a foreign country if that country has adequate data protection laws, or if the recipient is bound by binding corporate rules or contractual terms that provide equivalent protection.
The compliance gap here is almost never deliberate. Businesses move to cloud platforms because it is operationally sensible. They rarely verify the data residency settings, check whether the platform's standard terms meet POPIA's cross-border transfer requirements, or document the lawful basis for the transfer.
What closing it requires: An audit of every cloud platform holding personal data. For each platform: confirm where data is stored, review the vendor's data processing terms against POPIA's cross-border requirements, and document the lawful basis for the transfer. Where the terms are inadequate, updated agreements or alternative data residency configurations may be required.
Gap 6: No Documented Incident Response Plan for a Data Breach#
POPIA Section 22 requires that you notify the Information Regulator and affected data subjects if a security compromise has occurred or is likely to have occurred. The notification must happen as soon as reasonably possible. If a breach occurs and you have no documented process for detecting it, containing it, assessing the scope, and notifying the right parties — you will be making those decisions under pressure, in a crisis, while potentially under regulatory scrutiny.
Most South African businesses have no incident response plan for a data breach. Some have a generic IT incident process. Very few have the specific documentation POPIA requires: who is responsible for the decision to notify, what the notification procedure is, how systems are contained during a breach, how affected data subjects are identified, and how the incident is documented for the regulator.
A breach response plan must exist before a breach occurs. It cannot be created in the hours after a breach is discovered. The businesses that handle data breaches well are the ones that had already thought through what they would do — not because they expected to be breached, but because the plan is part of responsible data management.
What closing it requires: A documented incident response plan that covers detection, containment, assessment, notification, and post-incident review. The plan should be tested — at minimum through a tabletop exercise — before it is needed. Staff who have responsibility under the plan should know it exists and understand their role in it.
Closing the Gaps — Where to Start#
None of these six gaps requires a large project to close individually. What they do require is a structured assessment that identifies which gaps exist in your specific environment, prioritises them by risk, and produces a practical remediation plan.
The businesses that are genuinely POPIA compliant at the IT level did not get there by guessing. They started by understanding exactly where they stood — and then worked through the gaps systematically.
Our Cybersecurity and Data Management service provides exactly this — a structured assessment of your IT environment against POPIA's requirements, a prioritised compliance roadmap, and ongoing management of your cybersecurity posture once the gaps are closed.
For businesses where the root cause of compliance gaps is ageing or unsupported systems, a Legacy System Assessment identifies which systems are carrying the highest compliance risk and what a safe, phased modernisation path looks like.
For businesses with data spread across cloud platforms that has never been properly audited, our Cloud Management service reviews your cloud environment against POPIA's data sovereignty and security requirements.
Nimblechapps SA provides cybersecurity and POPIA compliance services for South African businesses in mining, construction, healthcare, education, and eCommerce. Book a free consultation to find out which of these gaps exist in your business — before the Information Regulator finds them first.
Tags
