*Seshni Moodley is an admitted attorney, director of Seshni Moodley attorneys incorporated , with expertise in digital, civil and criminal law. She holds a masters in human rights law and is currently pursuing her PhD in human rights law.
Image: supplied
Think about the last time you handed over a copy of your ID at a reception desk. You probably did not think twice. Most of us do not.
We hand over our most personal information, including identity numbers, home addresses and phone numbers, with the quiet assumption that the business on the other side of the counter will treat this information with care.
But the truth is that too many businesses still treat personal information like a casual administrative detail instead of what it really is: a fundamental human right.
In South Africa, the right to privacy and the right of access to information are not abstract legal concepts. They are constitutional guarantees.
POPIA (the Protection of Personal Information Act) and PAIA (the Promotion of Access to Information Act) exist to give these rights practical meaning. Yet despite being law for years, compliance remains patchy, inconsistent and, in some cases, openly ignored.
This is not just a regulatory problem. It is a human rights problem.
When a business collects personal information, it is taking responsibility for something deeply intimate.
Your ID number can be used to impersonate you. Your address can be used to track you. Your medical information can expose your vulnerabilities. Your financial details can ruin you if they fall into the wrong hands.
POPIA is not just about paperwork. It is about dignity. It is about ensuring that the people who trust you, as a business owner, with their information are not left exposed because your filing system is sloppy or your staff are untrained.
It is about recognising that privacy is not a luxury for the wealthy or the tech-savvy. It is a right that belongs to every person who walks through your business door.
PAIA, on the other hand, is about transparency. It ensures that people can access information held by the state or private bodies when needed to exercise or protect their rights.
Without PAIA, accountability collapses. Corruption thrives in darkness and secrecy becomes a weapon.
Businesses that refuse to comply with PAIA are not just breaking the law. They are blocking people from getting the information they need to challenge wrongdoing and hold those in power to account.
Ignoring POPIA and PAIA is not a small administrative oversight. It is a violation of people’s rights.
Harm is done every time a business leaves personal files lying around, every time a receptionist photocopies an ID without explaining why, and every time a company refuses to provide information that a person is legally entitled to access.
This harm can either be immediate — identity theft, fraud or financial loss — or more subtle, such as a sense of vulnerability, a loss of trust or a feeling that your information is out there in the world with no protection.
Businesses often say, “We did not know,” or “We are still working on compliance,” or “We are too small for this to apply to us.”
The law is clear and does not make exceptions for ignorance or size.
If your business collects personal information, your business must comply. If your business holds information that affects someone’s rights, your business must provide access when legally required.
Let’s be honest: part of the reason compliance remains weak is that enforcement has been too gentle.
It is acknowledged that the Information Regulator has made progress, but the extent of this progress is not enough. South Africans deserve a regulator that is visible, assertive and unafraid to take action when businesses violate people’s rights.
We need more inspections. We need more fines. We need more public enforcement notices.
We need businesses to feel the consequences of non-compliance and not just read about them in annual reports.
Rights mean nothing if they are not enforced.
Businesses often imagine POPIA and PAIA compliance as a mountain of legal paperwork, but the reality is far simpler.
Compliance starts with understanding what personal information flows through your business — what you collect, why you collect it and how you protect it.
Once you can answer those questions honestly, you have already laid the foundation.
The real work is about being intentional and respectful with the information people trust you with.
From there, compliance becomes a matter of consistent habits. These include training your staff, securing your systems, responding properly to information requests and keeping your documentation up to date.
These are not complicated tasks. They just require commitment.
When you get these basics right, you protect your customers, strengthen your reputation and reduce your legal risk.
In other words, compliance is not a burden. It is a responsible way of doing business.
Businesses often complain that POPIA and PAIA create extra work. But protecting people’s rights is not an inconvenience.
It is part of doing business ethically. It is part of respecting the people who keep your doors open. It is part of building a society where privacy and transparency are not negotiable.
If your business handles personal information — and almost every business does — then compliance is not optional.
It is not only a legal duty but also a moral one.
POPIA and PAIA are tools to protect human dignity. It is time for every business, from the smallest sole proprietor to the largest corporation, to take them seriously.
*The opinions expressed in this article do not necessarily reflect the views of the newspaper.*
DAILY NEWS