Final deadline for PAIA manual submission


Get your all in one PAIA and POPI manual solution today!



R1 999.00

The EasyPOPI DIY toolkit has been designed for small to medium sized businesses and people with no prior experience in the POPI act. It includes a roadmap for guidance, and we have also removed unnecessary legal jargon that adds no value to the action items of the project. The documents are pre-written and you can edit and adapt them as much as you need to. It also contains placeholders to insert your specific information.

Included are the following documents:

  • Company Assurance Certificate
  • Instructions on how to get you started
  • Key definitions to study
  • Information Officer Appointment form
  • Training the Processors
  • Data Subject Engagement
  • Strategic Risk Mitigation
  • Data mapping
  • Employee Contract Annexure
  • Privacy Policy
  • Processing by Processors
  • Data Protection Policy
  • Incident Management
  • Personal Information Request
  • Consents
  • Access Management Registration Control
  • PAIA Manual Guidance Note
  • PAIA Manual Template
  • PAIA Annexures 1 and 2
  • POPIA gap analysis
  • Data mapping tool
  • Operator Agreement
  • Guidance note - Information Officer
  • Guidance note - Information Officer duties
  • Information Officer registration form
  • Links to tutorial videos

Instant Purchase in 4 easy steps!
1. Pay with card, instant EFT or Snapscan
2. Receive an instant email
3. Click on download link
4. Files download straight to your PC
OR, if you would prefer an invoice, please send your details to

POPI Cloud Software Solution


Pricing & options for cloud software

Cloud Software Solution
Professional Business Business+ Enterprise
Employees Up to 9 10 - 50 51 - 250 250 +
Admins (all incl unlimited users) 2 2 5 unlimited
Support included
Records of processing activities
Compliance manager
Data mapping
Privacy notice management
Processor management
Breach incident management
Subject access request management
Automations & reminders
Support portal
Personal webinar training
Data protection impact assessments -
Head office with multiple subsidiaries - - -
Project data mapping to add - - -
Monthly subscription (software only) R 1 239 R 3 299 R 5 469 R 16 499
Add an Expert to Your Team
Add POPI external officer (6 month implementation)
Monthly Progress Reports
Dedicated hours per month 1 2 4 6
Monthly subscription (first 6 months, thereafter software only rates apply) R 2 139 R 5 598 R 9 268 R 27 398

Need a consultation?

Kindly complete below form and one of our consultants will be in touch.

What is POPI?

Did you know that the Protection of Personal Information Act will officially come into effect on 1 July 2021? This means that you have until 30 June 2021 to comply with its comprehensive requirements. Fail and you could face 10 years jail time or massive fines!

The POPI act applies to any private person or juristic entity that processes personal information by collecting, receiving, storing or using it.

Two types of persons can process information and it is important to distinguish whether you are a Responsible Party or an Operator as the obligations differ.

A contractor is typically someone who processes data on behalf of a responsible party like IT companies that run payroll systems for their customers or marketing agencies that do email marketing for their customers.

These contractors are required to have an operator contract and notify a responsible party if a data breach has occurred.

Responsible parties are typically a business that has customers like a medical practitioner with patient records or any company collecting personal employee information. Responsible parties must comply with 8 conditions for lawful processing of information namely

  • Information quality
  • Processing limitation
  • Further processing limitation
  • Accountability
  • Openness
  • Purpose specification
  • Security safeguards
  • Data subject participation

Getting compliant can be an expensive exercise, but with EasyPOPI it will be a walk in the park!

Why should you choose EasyPOPI?

360 degree approach

Our experts designed to have a solution for all types of businesses.


All our solutions have your pocket in mind.

Expert advice

Get expert advice at any point of your journey. Come partner with the best!

POPI in the news

PAIA registration

With everyone focusing on the deadline of 30 June 2021 for the implementation of the POPI Act, many lost sight of the fact that this was to also be the date for all entities to comply with the PAIA (Public Access to Information Act 2 of 2000).

Read More

Update on registering your Information Officer

Due to the popularity of the POPI Act, the registration portal for company information officers crashed towards the end of June 2021.

Read More

Amazon gets $888mil fine

Amazon is the latest target of the GDPR law makers. With a whopping $888mil fine it will be the biggest to date. Amazon says the fine is unfounded and will rigorously defend themselves. Amazon’s revenue was $26.9bil in 2020. So, the fine equates to 3% of annual turnover.

Read More

Information Regulator Portal Issues

Further to our blogpost of 22 June, the Information Regulator has indicated that they will not penalise anybody for missing the registration deadline on their online portal due to their technical issues they are experiencing.

Read More

Limited impact of Regulator’s extension in law

On or about the 17th day of June 2021, the Information Regulator {POPIA regulator} responded to a Section 57 and Section 58 {according to Section 114} of the POPIA Act request for extension submitted by Business Unity South Africa on 29 May 2021.

Read More

Do I have to be POPI compliant?

The 8 principles of the POPI Act are Accountability, Processing Limitation, Further Processing limitation, Purpose specification, Information Quality, Openness, Security safeguards and Data Subject Participation. We often get asked whether the law applies to a particular business and whether they need to implement a POPI program.

Read More

EasyPOPI DIY Toolkit Webinar

We are excited to publish our recorded webinar from 14 June. Watch as we talk you through each of the documents in the EasyPOPI DIY Toolkit. We positioned the toolkit to be the best value for money solution in the market and we are proud to keep adding resources to it. If you haven't started your compliance journey yet, this is the right place to start. Buy it for a once off R 1999 and get rid of the fear today!

Direct marketing and consent

Section 69 of the POPI Act outlaws direct marketing by means of any form of electronic communication unless the data subject has given their consent. Such an electronic communication obviously includes emails, SMSs and automatic calling machines. You can still market similar products to your customer and also send them notifications like financial transactions, alerts and debt collection as long as they can easily opt out of the communication.

Read More

POPI act comes into effect on 1 July 2021, or does it?

We often get asked if the POPI act will really come into effect on the 1st of July. If we had to bet on it our answer will be yes. Here are some of our reasons. Firstly, because the information regulator said so.

Read More

Breach management

The Information Regulator is very aware that breaches do happen and understands that there won’t still be hackers around if it didn’t. Criminals will always be with us. It is up to you and your company though to ensure that you have been reasonable in protecting your personal information.

Read More

EasyPOPI on Life Unboxed

Our very own Jacque Fourie alongside Prof Sizwe Snail ka Mtuze. Watch them unpack the implications for small businesses now having to comply with the POPI Act before the 1 July 2021 deadline.

The cornerstone of the POPI Act

Businesses are very much still in discovery mode when it comes to the POPI Act and its implementation. It is still a big concern how many executives palm it off to the hardest working secretary or HR person, left all alone to make sense of what to do. Searching the internet for the easiest, fastest, most effective way to get compliant, this individual has their work cut out for them.

Read More

The biggest risk to POPI compliance

With the POPI compliance deadline now 64 days away, South African businesses are getting ready for compliance. This will be a journey. Definition: an act of travelling from one place to another. With the emphasis on travelling, which implies taking some time.

Read More

The value of personal data

The 30 June POPI act compliance deadline is upon us and panic is setting in slowly but surely. Every day small businesses ask us what they must do to become compliant. Not only do they not know how to do it, but they do not understand that personal data is valuable.

Read More

Frequently Asked Questions

When you have completed all instructions in the toolkit you should be compliant. The way to test this is if you can answer yes to all the questions and statements in the gap analysis provided.

POPI compliance is self-regulatory. Not even the Information Regulator can give you a certificate of compliance. That's why we like the certificate of assurance as it merely states that your company adhere to the law as best you can.

Short story is you keep your POPI Manual on File and continuously make sure that you are living POPI every day.

If you are using direct electronic marketing (automatic calling machines, facsimile machines, SMS's and other types of text messages, as well as emails) you need the prior consent of data subjects - this consent you need to obtain by using Form 4. The data subject must tick the box to agree to receiving this information, and sign the document. Please keep this as proof.

If you are sending this communication to current clients / customers to whom you have sold a similar product or service before, you may approach them electronically and allow them the opportunity to opt out.

Please see an extract from the act below:

69 Direct marketing by means of unsolicited electronic communications

(3) A responsible party may only process the personal information of a data subject who is a customer of the responsible party in terms of subsection (1) (b)-
(a) if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
(b) for the purpose of direct marketing of the responsible party's own similar products or services; and
(c) if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details-
(i) at the time when the information was collected; and
(ii) on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
(4) Any communication for the purpose of direct marketing must contain-
(a) details of the identity of the sender or the person on whose behalf the communication has been sent; and
(b) an address or other contact details to which the recipient may send a request that such communications cease.

In terms of the act, a responsible party may only transfer personal information about a data subject to a third party (supplier, in this case) in another country if adequate levels of protection are provided in one of the following ways:

1. Appropriate laws in the foreign country (e.g. GDPR in the EU)
2. If the entity with which information is shared can prove they are bound by corporate rules
3. If there is a binding agreement between the responsible party and the foreign entity (supplier) about the processing of personal information, including limitation on the further transfer by the recipient.

The factors mentioned above should be sufficiently similar to the POPI legislation in order to ensure secure processing of personal information.

If the data subject consents to the transfer of personal information, or the transfer is necessary in the performance or conclusion of a contract between the responsible party and the data subject, the information can also be shared.

The principle here is about accountability, one of the 8 conditions of the act. In terms of the example below, the entity to which personal information was entrusted, is accountable (not the individual).

The entity can minimize risk by:

  • Limiting access only to trustworthy employees within the entity/third parties
  • Ensuring that employees are aware of the risks (together with proof that the entity ensured that employees are aware of risk)
  • Taking steps immediately after a breach has taken place to investigate fully what has taken place, and ensuring the necessary reporting takes place after the investigation
The employee can be brought to a disciplinary hearing, but the horse has bolted. It will show that the entity is serious about the protection of personal information, though.

A few points to consider:

1. The owner of personal information determines the responsible party
2. When the responsible party sends information to a 3rd party for processing (including storage), that 3rd party becomes an operator
3. Your POPI manual should indicate what operator relationships exist, as well as what information may be shared with operators.

Now, the result of the above is that you may both be operators, but in different relationships.

The following questions:

a. Does your client sign any agreement with the software cloud storage company? If not, the software cloud storage company cannot be an operator of the client.
b. Do you have an agreement in place about their protection environment, pertaining to personal (and also other) information stored with them? I am sure you do, but ensure it is sufficiently clear as to the implications of POPI.

When you offer the storage environment to your clients, you become an operator as they store personal information in your allotted cloud storage facility.

The Cloud Software Storage Company is an operator to you, as they provide the box in the cloud to you where processing takes place. What would therefore need to happen is for an operator agreement to be established between you and your client, stating that personal information may also be processed at the Cloud Software Storage Company.

It is important that at the time when the client approaches you, full disclosure is made of who operators are and what information may be processed with those operators (part of POPI manual).

Q. Are we required to obtain consent from each and every resident that we may hold their personal information? Even though we have had their information for years? Or is the consent applicable to new residents who move into the suburb?

A. You want consent from everyone. You can request that by way of a message that does not divulge all the other community members’ details. If you want to be able to have a group that does share information (names and telephone numbers, for example), now would also be the time to obtain that.

Q. As with any community initiative where residents voluntarily contribute, we have residents who do not contribute or support the concept. However, they are still on our database and are included in the distribution list when bulk mail notifications are sent out to the community. Because they do not support, is this communication to them considered to be unsolicited marketing? Is it illegal to email them information about the suburb’s security measures? Must there be an OPT OUT option on our communication to the residents?

A. Unless you market during your news updates, it is not unsolicited marketing. It would be prudent to add an opt-out, and you would then need to ensure that those individuals are not included in your next round of communication.

Q. Do you perhaps have a template for the operator contract? We do not have employees, but appointed committee members and the administrator have direct access to the database of resident information. And I gather that they will need to sign a contract regarding the protection of data subject information?

A. We do not provide a sample operator contract due to the diverse nature of agreements and legal technicalities linked to all the various businesses that buy the toolkit. From the description below, you have a team of volunteers. You would need an agreement that ties them to protecting personal information.