top of page

Summary of POPI Act webinar.


All businesses need to register regardless of size, from one person owner/operator to thousands of employees, all must register. is the web address to do this.


At this time the link is switched off due to technical problems. Take a screenshot of your visit to the website as proof that you have tried to register.

You can download a pdf version although the site does not say where you send the completed form. At least you can be prepared for completing the online version when it is back up and running.

Please note:

There are only 6 compliance officers in the country which is impossibly small to focus on enforcement - registering as an info officer is the most important requirement.

In addition, no one but these 6 can certify compliance so don't pay for this as there is no certificate that can be obtained.

If anyone requests information on your data protection practices, you may inform them of a time frame in which you will respond in eg 30 days. This will give you time to prepare a response.

An information officer

Every business needs to appoint an information officer and this should be an owner or director of the business. This is viewed very seriously and a senior person must take responsibility.

A compliance manual

You must have a compliance manual that shows your data protection policies. What you have in place for data storage, when and how you communicate with clients etc.

Storage of data

Your data must always be stored in a secure place. Treat it like you would money, don’t leave it lying around.
Digital data must be kept in a secure location. If it is cloud-based, make sure the cloud storage is encrypted. If it is on your laptop, ensure that the laptop is password protected and that the program, MS Excel or others is password protected.

If you use salon software of some kind, your provider should be able to advise you on the safety of data.
Back-ups must also be stored securely.

If you use record cards or other physical card/paper methods, they must be kept locked away at all times and only accessed when the client turns up for an appointment.

Covid 19 protocols, visitor record form

The same goes for Covid 19 protocol forms completed by a client on arrival at the business premises.
Do not leave the form on a table for someone to be able to photograph or steal. This must be kept safely in your reception and only handed to a visitor purely for them to complete and must be handed back afterward. The forms must be locked away securely at the end of each working day.

Access to data

Only those who need access to data should be allowed to. Cleaning staff or others who do not have a need to view data should be unable to do so.

Staff who leave your employment

Our thanks to Karl Markwald regarding the situation regarding Staff
If a staff member leaves your business will be breaking the law if they subsequently contact clients of yours. Whether directly by phone or email or through social media. You perhaps need to amend your contract of employment to point out that they would be breaking the law in this instance.

The significance of this is the prevention of a staff member taking your clients if they leave your employment, a definite win for a salon owner.

Social media

You are not allowed to contact people via social media with the intent of promoting your business to them.

Cold calling

Cold calling is also prohibited. This means that you cannot randomly call someone to try to offer them treatments if they are not known to you. The same with email.

Permission-based marketing

You need to have the permission of your clients to send them promotional material and special offers.
A simple piece of text at the bottom of their client record such as:
By ticking this box I agree that the company may send me promotional information and special offers from time to time. (add the tick box)


If you did not have this previously and wish to send out such material, you should contact all your clients and ask them to opt-out of any marketing list you may have.

Just to be clear, opt-out is a must in all communication you may send as in an unsubscribe button on email or “Stop” reply on SMS.

If you have clients on your data who have not been in contact with you in some way within the last 18 months, you should delete them from your lists.

If you have personal information about a client, perhaps their birthday, or daughter’s wedding that was discussed in conversation, that should not in any way be shared with a third party, even again, just in conversation. All your staff should be made aware of this.

If you know your client's birthday, you should only send them birthday wishes if they have agreed to such communication as in the opt-out clause above.

It may be a good idea to run through your mind the ‘journey’ a client makes when coming into your business, what information you record, where you store it, and what you intend to do with that information. If there is an intention to contact the clients, you need their permission. If there is a possibility of someone stealing the information, or you losing it, you need to improve your storage systems and security.

Karl Markwald – CEO ESP

Samantha Lockhart – My Spa Consultants


Registration portal:

Link to Samantha Lockhart’s article:

Facebook recording of the webinar:

bottom of page