POPIA Responsible Party Action List: What you can do right now.

How to use this list

These are actions a responsible party (an HOA, body corporate, managing agent, landlord, employer or institution controlling a gated access) should begin immediately, without waiting for the Code to be finalised. None of them depend on the final text, all of them will hold regardless of how the outstanding issues are resolved. Together they move you from “we assume we comply” to “we can prove we comply.”

1. Assign ownership of the POPIA function

Nothing else on this list happens until someone owns it.

Appoint your Information Officer formally and in writing, and register them with the Information Regulator if you have not already. This is not a titular role, the person needs the authority to direct operations and the accountability to answer for them. Where the environment is large or complex, appoint Deputy Information Officers for specific functions (for example, the estate manager for gate operations). Document the appointment, the reporting line and what the role is responsible for. Until ownership is assigned, transparency is an intention, not a practice.

2. Map what actually happens at your gate

You cannot govern what you have not documented.

Conduct a data inventory of every personal information collection point in the access environment: the visitor register, biometric readers, CCTV, license plate recognition, resident call-in systems, contractor sign-in and delivery logs. For each one, record what is collected, why, where it is stored, who can see it, and how long it is kept. This single exercise underpins almost every other obligation, purpose specification, minimality, retention, security and openness all depend on it.

3. Conduct a risk assessment and match what you collect to it

Proportionality is measured against risk, not assumed.

Before you can justify what you collect, you have to define what you are protecting against. Conduct a documented risk assessment for the environment: what are the actual security or operational threats at this site, how likely are they, and how severe would the consequences be? The Code requires this, it expects a responsible party to identify and assess its risks, and then to ensure the personal information it processes is proportionate to those identified risks. The two halves are inseparable. A high-density complex with a documented history of armed intrusion can justify processing that a low-risk office park cannot, and the same environment cannot justify collecting biometrics, vehicle data and ID numbers if its own risk assessment does not support that level of intrusion. Document the risks, document the link between each category of personal information and the specific risk it addresses, and the proportionality of your collection becomes defensible rather than assumed. Where the risk does not justify the data, scale the collection back.

4. Test every data point against necessity

Collect what is necessary and proportionate, not what is convenient.

Work through the inventory from step 2, against the risk assessment from step 3, and challenge each field. Does capturing a visitor’s ID number, vehicle details, destination and biometric serve the access-control purpose, or is some of it habit? Minimality and proportionality are mandatory POPIA obligations, not optional risk preferences. Where a data point cannot be justified against a defined purpose and a real risk, stop collecting it. This is the fastest way to reduce both compliance exposure and breach risk at the same time.

5. Identify your lawful basis for each processing activity

Consent is not always the right answer, and often the wrong one.

For each processing activity, identify the correct lawful basis: legitimate interest, performance of a contract, legal obligation, or consent. Many environments default to a “consent” form at the gate when the actual basis is a legitimate interest in the security of the property. Getting this right is important, because the basis you rely on determines what rights data subjects have and how you must handle an objection. Note, too, that the section 11(3) right to object does not create a right of initial entry to private property, that boundary should be reflected in how your basis and notices are framed.

6. Put up a proper privacy notice at the point of collection

The data subject at the gate should not be in the dark.

Draft and display a privacy notice where collection actually happens (at the gatehouse, or at the boom). It must state who is collecting the information, why, how long it is kept, who has access to it, and what rights the data subject has. This is one of the most visible, lowest-cost compliance wins available, and one of the most commonly missing.

7. Set and apply retention periods

No indefinite storage.

Define retention periods for each category and then actually enforce them. As working benchmarks: visitor registers in the region of 30–90 days, CCTV footage 7–30 days, incident reports 3–5 years, each adjusted to your environment’s documented risk profile. A retention policy that is written but never executed is worse than none, because it documents the gap. Confirm with your technology providers what their systems actually do when the retention window closes.

8. Get your operator agreements in order, and verify them

A signed agreement that is never checked is a legal document, not a compliance tool.

Identify every operator processing personal information on your behalf: the guarding company, the visitor management platform, the biometric vendor, the CCTV or cloud storage provider. Confirm that a written operator agreement is in place with each, a service-level agreement alone is not sufficient. Then go a step further than most environments do: ask each operator to disclose, in writing, what they collect, how they secure it, and where it goes. You cannot build your framework until you have those documented answers, and you cannot rely on safeguards you have never confirmed.

9. Train the people at the gate

A framework that does not reach the gate is theoretical.

Guards, estate managers and managing agents process personal information every day, and most have never been told it carries a legal dimension. Regulation 4 places a specific duty on the Information Officer to ensure training and awareness takes place. Run basic POPIA awareness for frontline staff covering what they collect, why it matters, how to handle a data subject query, and what to do in the event of a breach. Keep a record of who was trained and when, that record is part of the evidence that your framework is operational.

10. Run a PIIA before any high-risk processing

If you cannot show it, it does not exist from a compliance perspective.

Where you use, or plan to use, biometrics, behavioural analytics, license plate recognition or automated decision-making, conduct a Personal Information Impact Assessment. Assess the risks, document the safeguards, and justify the processing against the security or operational need. For environments already running these technologies, treat the PIIA as a priority remediation task. Technology is not the problem; unjustified, unexplained, uncontrolled technology is.

11. Build a data subject request and complaints process

Residents, visitors and contractors have rights, you must be ready to honour them.

Set up a documented route for data subjects to access, correct, delete or object to their information, with a named contact and a defined response time. Establish a complaints process that escalates from internal resolution to an independent adjudicator and, if unresolved, to the Information Regulator. Have this ready before the first request arrives, not after.

12. Capture all of the above as a framework, not a policy

The Code is not asking you to write a policy. It is asking you to build a governance system.

Pull steps 1–11 together into a documented compliance framework: a defined strategy and objectives, the governance structure linking management to gate operations, the access-control privacy policy, the documented roles and processes, and a schedule for reporting and periodic review. The point is not the binder. The point is records that demonstrate the framework is live and operating, because under the Code, the question shifts from whether you comply to whether you can prove it.

A note on sequence

Safety and privacy are not enemies.

The Code requires us to do access control lawfully, transparently and responsibly. These twelve steps are how you start.

For more compliance insights and updates contact: popi@atgdigital.biz