Since the Protection of Personal Information Act (POPIA) came into effect, businesses across South Africa have been scrambling to update contracts, change systems, and create new policies. While compliance is essential, we’ve seen many organisations go overboard — quoting legislation at clients, adding unnecessary red tape, and making business harder than it needs to be.
At VDM Attorneys, we believe that POPIA compliance should be practical, proportionate, and effective. Let’s unpack what you really need to know.
What is Consent Under POPIA?
Consent is the cornerstone of POPIA. It means that a person has voluntarily, specifically, and informedly agreed to the processing of their personal information.
- Voluntary – the client must not be forced or misled;
- Specific – consent must cover the purpose for which the data will be used (e.g., to contact them about a property transaction); and
- Informed – the client should know what they are agreeing to, in clear language.
Consent doesn’t require a 10-page contract. In practice, it can be as simple as a client ticking a box on a form, replying “yes” to an email or WhatsApp, or signing a standard instruction sheet - provided you can prove that consent was obtained.
The “One Shot to Contact” Policy
One of the practical interpretations of POPIA is the “one shot to contact” rule. You are allowed to reach out to a new contact once to introduce yourself and your services.
If they engage, you can keep communicating. If they ignore you or opt out, you cannot keep pushing.
This balances two things:
- Your right to market and do business; and
- The consumer’s right to privacy.
Handled correctly, it means you can still prospect and grow your client base - without running the risk of harassment or non-compliance.
The Minimum You Need to Comply
POPIA compliance isn’t about expensive systems or heavy contracts. The key is keeping evidence of engagement:
- Record Consent
- Keep a log of how and when the client gave you consent (e.g., signed mandate, email reply, web form submission).
- Purpose Limitation
- Use the information only for the purpose you told the client. Don’t collect data you don’t need.
- One Shot to Contact
- If you’re reaching out cold, do it once, clearly, and respectfully.
- Respect Opt-Outs
- If a client says no, or unsubscribes, stop. Keep a record to show compliance.
- Protect What You Store
- Keep personal data secure - whether that’s in a CRM, email system, or physical file.
Why Data Rich is Better than System Heavy
Some businesses focus on building layers of systems and contracts to “show” compliance, but miss the point. POPIA is about accountability — can you show that you’ve handled personal data responsibly?
The practical solution is to be data rich:
- Keep accurate records of when you obtained consent;
- Note down when a client opened, replied to, or engaged with your communication; and
- Store only what’s relevant and useful.
That way, if the Information Regulator ever asks, you have the evidence at your fingertips - without the clutter of over-engineered compliance.
Keep Compliance Simple
POPIA compliance doesn’t need to cripple your business. With clear consent practices, a respectful “one shot to contact” approach, and proper record-keeping, you can stay on the right side of the law while still engaging meaningfully with clients.
At VDM Attorneys, we help businesses cut through the noise of over-engineered compliance and focus on what the law actually requires. The goal isn’t to drown in systems - it’s to build trust, grow relationships, and keep data safe.