top of page
Search

Your “POPIA Certification” Doesn’t Exist (No Matter What You Paid)

  • May 11
  • 4 min read
A woman in a business suit holding a digital tablet that displays a glowing red warning triangle and various digital document icons, representing a data security alert or compliance issue.

There’s a dangerous “POPIA Certified” myth that’s making the rounds, and if you’re duped, it will expose your business to legal and financial risk.  We’re here to separate POPI Act compliance fact from fiction, for legitimate peace of mind. 



False Hope In POPIA Certification


A vendor hands over a glossy certificate, complete with an official-looking seal, declaring your business “POPIA certified.” It feels reassuring. It looks professional. You file it away and breathe a sigh of relief.


Here’s the problem: that certificate means nothing. Legally, nothing. And if you’re relying on it to protect your business, you’re building your compliance strategy on sand.


No Such Thing Exists

The Information Regulator (South Africa) is the only body empowered to monitor and enforce compliance with the Protection of Personal Information Act 4 of 2013.  It has not created, endorsed, or authorised any certification system.


There is no approved process, nor an official stamp that declares a business “POPIA certified.”


Not one. 


Michalsons, one of South Africa’s leading data protection law firms, puts it plainly on their website: currently, no one can provide you with a certification. The POPI Act doesn’t specify a process for it, and the Information Regulator hasn’t established one yet.


So, if someone is selling you POPIA certification, sound the alarm.  


Compliance vs “Certification”: Know the Difference


Compliance and certification may seem similar, but they are not. Confusing them is exactly how businesses end up exposed.


POPIA compliance means your organisation is actually doing what the law requires:


  • lawfully collecting personal information, 

  • protecting it properly, 

  • giving people control over their data, and 

  • governing the whole process responsibly. 


Compliance is demonstrated through your policies, practices, people, and ongoing conduct. It’s a journey, not a destination.


“Certification”, as it’s being used in the South African market right now, is a term with no legal standing under POPIA. It implies formal, government-endorsed recognition, but carries none. The danger is that if a business believes it’s “certified”, it often stops doing the actual work of compliance. 


Policies go unreviewed. Staff don’t get trained. An Information Officer never gets appointed. When the Information Regulator comes knocking - or worse, when a breach occurs - that certificate offers zero protection.


Red Flags to Watch For


Not every misleading claim comes from bad intent, but that doesn’t change the effect. 

Here’s what should make you pause:

  • “Guaranteed” certification. No legitimate advisor can promise this. Anyone who does either doesn’t understand the law or is hoping you don’t.

  • Official-looking certificates from vendors. A product can be designed with privacy in mind, and that is genuinely valuable. But a certificate cannot replace your organisation’s compliance programme.

  • One-and-done promises. POPIA compliance is ongoing. Any service that claims to make you permanently compliant with a single purchase or training session isn’t being straight with you.


Do your due diligence. Ask the hard questions.


Check what the Information Regulator’s website actually says.


What Legitimate Compliance Actually Looks Like


Real compliance involves real work - but it’s what actually keeps your business protected and your data subjects’ information safe. Rather an investment in adhering to the law than a R10-million fine or 10 years imprisonment. 


Here’s where you should focus:


  • Appoint and register your Information Officer. Under Section 55 of POPIA, this is non-negotiable. Every responsible party must register their Information Officer with the Information Regulator via the eServices Portal. If this isn’t done yet, start here.

  • Review and update your policies. Your privacy notice, your PAIA manual, and your internal data processing agreements. These need to reflect how your organisation actually handles personal information accurately.

  • Train your people. Your staff are your biggest compliance asset and your biggest compliance risk. Ongoing training isn’t optional.

  • Build an ongoing governance programme. POPIA compliance has no end date. It requires regular gap analyses, policy reviews, and a compliance roadmap that evolves with your business.


For businesses operating in the access control space - estates, office parks, and warehousing facilities - wherever visitor information is captured at the gate, the compliance picture becomes significantly more defined. The draft Code of Conduct for Gated Access doesn’t leave much to interpretation: it translates POPIA’s conditions for lawful processing into specific, operational requirements for access-controlled environments. This means you’re not left trying to apply general privacy principles to a gatehouse scenario. The Code does that work for you. It sets out precisely what is required in terms of purpose, data minimisation, retention, and safeguards at the point of capture.


In other words, for gated access operators, the question is no longer “how do we interpret POPIA?” - it’s “are we meeting what the Code specifically requires?” We’ve covered the practical details in our guides to the POPIA Code of Conduct for Gated Access and scanning driver’s licence barcodes under POPIA. Compliance at the gate is about purpose, scope, and safeguards (not a piece of paper).


Are There Any Legitimate Badges or Programmes?


Yes, with an important caveat.


Michalsons offers a Data Protection Champ badge to organisations enrolled in their data protection programme who pass a health check and meet defined requirements. Crucially, Michalsons themselves are transparent: this is not a government certification. It signals that an organisation is taking active steps toward data privacy best practice - and that honesty is exactly what makes it credible. Programmes like this are genuine indicators of progress. They’re worth knowing about. Just don’t mistake them for something signed off by the Information Regulator.


Your Next Steps


If this article has made you question your current compliance posture, that’s a healthy response. Here are a few steps you can start today:


  1. Conduct a gap analysis. For gated access operators, measure yourself against the draft Code’s specific requirements, not just POPIA’s eight conditions in the abstract. The Code has already done the interpretive heavy lifting.

  2. Register your Information Officer at the Information Regulator’s eServices Portal.

  3. Build a compliance roadmap. Prioritise your highest-risk gaps first and work through them systematically.

  4. Engage credible advisors - ones who cite the Act, reference the draft Code directly, and are honest about what compliance actually requires in your specific operational context.


At ATG Digital, compliance isn’t bolted on, it’s built in. Our solutions are designed around what POPIA actually requires, and for access-controlled environments, around what the draft Code specifically sets out.


If you’d like to see what that looks like in practice, get in touch


A promotional banner for a free live webinar titled "Is Your Access Control POPIA Ready?" featuring the ATG Digital and Civitas logos. The webinar is scheduled for Tuesday, 12 May at 11:00, with a "Register to Attend" button.


Comments

bottom of page