Priya has run the workshop on Old Main Road in Pinetown for twelve years. Brakes, clutches, suspension, diagnostics, and a steady line in servicing the Toyota and Hyundai fleet cars that shuttle employees between Westville and the CBD. Three technicians, a receptionist who doubles as the bookkeeper, regulars from the HDBs in Phoenix and the professionals from Kloof. The workshop keeps its customer records in a shared Google Sheet — rows of name, ID number, mobile, plate, vehicle, last service, mileage — synced between the receptionist's work laptop and Priya's personal Gmail so she can check from home. Every six months, the receptionist pulls a filter of "due soon" customers and sends an SMS blast from a third-party gateway: "Hi, your Toyota BM 28 YN KZN is due for a service. Call us to book." The workshop has done this since 2015. About 3,400 customers are in the sheet. None of them has ever been asked for specific written consent to be contacted.

Thursday, 10:40 a.m. An A4 envelope in the mail with the Information Regulator of South Africa letterhead. Priya opens it. "Notice of Investigation — Reference IR-INV/2026/KZN/00231 — Priya's Auto Services CC — kindly furnish the requested information within twenty-one (21) calendar days of this notice."

The complaint, summarised: one of the workshop's customers received a WhatsApp message from an unknown number with a link to a Google Sheet titled "Priya Auto Customers Master". She opened it out of curiosity. The sheet contained her name, her South African ID number, her mobile, her address, her vehicle registration, her last service date and her last outstanding balance — alongside those of 3,389 other customers. The link had apparently been shared accidentally on a family WhatsApp group by Priya's adult daughter, who had found the sheet open in a browser tab on Priya's home laptop and thought it was a shopping list. A cousin had forwarded the link elsewhere. The complainant saved screenshots and lodged a complaint with the Information Regulator.

The Regulator's investigation has two tracks. Track one: the data-security breach under section 19 of the Protection of Personal Information Act 4 of 2013 (POPIA) — failure to secure the integrity and confidentiality of personal information, compounded by failure to notify the Regulator and affected data subjects under section 22 as soon as reasonably possible after discovery. Track two: the direct-marketing programme under section 69 — electronic direct marketing to data subjects without prior written consent in the prescribed form, a separate contravention that the Regulator has been actively enforcing since 2024.

Priya has never heard of an Information Officer. She has no privacy policy on her website or counter. She has never registered anything with the Information Regulator. She has sent service-reminder SMSes to thousands of customers over eight years without once asking for opt-in consent. And she has the Google Sheet which, almost certainly, has been accessible to anyone her daughter handed the laptop to over the past year.

What POPIA actually requires — the eight conditions and the two trap sections

POPIA is organised around eight conditions for lawful processing of personal information (sections 8 to 25). Every organisation that processes personal information in South Africa — small workshop included, no turnover threshold — is bound by all eight. The conditions are: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. The Regulator tests every complaint against these eight in sequence.

For a small independent workshop, two specific sections decide most cases:

Section 19 — Security safeguards. The responsible party (the workshop) must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures. "Appropriate and reasonable" is fact-specific and scales to the organisation's size — the Regulator does not expect a R10 million security programme from a workshop with a turnover of R4 million — but the measures must genuinely exist. A Google Sheet shared between a work laptop and a personal Gmail, accessible to anyone who picks up the laptop, fails this section without the Regulator needing to look further. Shared spreadsheets on consumer cloud services with casual access are a standard Regulator finding; the case law is already stacking up.

Section 22 — Notification of security compromises. When a data breach happens, the responsible party must notify the Regulator and affected data subjects "as soon as reasonably possible" after the organisation has a reasonable belief that unauthorised access or acquisition has occurred. POPIA does not specify a fixed number of days (unlike Singapore's PDPA or Quebec's Loi 25), but the Regulator has consistently interpreted "as soon as reasonably possible" as measured in days and single-digit weeks — not months. A workshop that discovers a breach, does nothing, and only engages with the Regulator when a complaint arrives has failed section 22 as an independent violation.

And the trap section that catches almost every independent workshop in the country:

Section 69 — Direct marketing by means of unsolicited electronic communications. This is the one that matters most for day-to-day workshop operations. It prohibits processing personal information for the purpose of direct marketing by electronic communication (SMS, email, WhatsApp, automated call) unless the data subject has given consent to the processing or is a customer of the responsible party. The "customer" exception in section 69(3) is narrower than it reads: the marketing may only relate to the responsible party's similar products or services, and the customer must have been given, at the time their information was collected, a reasonable opportunity to object to use for marketing purposes and at every subsequent communication. That reasonable opportunity must be captured in writing.

In practice, this means: the service-reminder SMS programme a workshop runs on its customer base can be lawful under the customer exception, but only if when the customer came in the first time, they were given a notice explaining that service reminders would be sent and an opt-out option — and that notice is on record. Without a documented opt-in or the documented customer-exception notice, the whole programme is unlawful processing under section 69. A single complaint triggers the Regulator's enforcement track on direct marketing — which the Regulator has been actively using since 2024, issuing its first direct-marketing-focused enforcement notice in early 2024 and signalling that the workshop-and-retail sectors are a priority area.

The penalties: administrative fines up to R10 million under section 109 (imposed by the Regulator directly, no court process). Criminal offences: a fine up to R10 million or imprisonment up to 10 years. The Regulator's first administrative fine of R5 million was issued in July 2023 against the Department of Justice for a data breach. Three further enforcement notices were issued in 2024. A small workshop is not the Regulator's priority — but a complaint received in a priority sector (retail, motor, direct marketing) moves up the queue.

Five POPIA measures every KZN workshop should already have in place

1. Named Information Officer — registered with the Regulator

Section 55 of POPIA mandates the appointment of an Information Officer. By default, the head of the organisation is the Information Officer — so for a CC or Pty Ltd, it is one of the members/directors. The Information Officer must be registered with the Information Regulator using the prescribed online portal. The registration is free; the absence of registration is a standard first finding in any Regulator investigation. The Information Officer's name, role, email and phone must be published in the privacy policy and on the website. For Priya's workshop, the Information Officer is Priya herself. Registration takes about twenty minutes.

2. Written privacy policy — posted at the counter and on the website

A one-page privacy policy setting out: what personal information is collected (name, SA ID number or passport, mobile, email, address, vehicle details, service history), the purposes (providing the workshop service, issuing VAT invoices for SARS, service reminders under the customer exception, contacting the customer about current work), the legal basis (consent and contract performance under section 11), how long the data is retained (7 years for VAT-related records per SARS, 2 years for service history), with whom the data is shared (SARS, the workshop's accountant, no one else), the data subject's rights (access, correction, deletion, objection, complaint to the Regulator), and the Information Officer's contact. Print, laminate, display. Publish on the website. Update when material changes.

3. Section 69 opt-in / customer-exception notice at intake

Rewrite the job card to include, at the bottom, a tick-box notice: "Service reminders: This workshop sends occasional reminders (SMS, WhatsApp or email) about services due on your vehicle. Under section 69 of POPIA you are entitled to object to this communication at any time. Tick here if you do NOT wish to receive such reminders: [ ]. For other offers or promotions unrelated to your current vehicle, separate consent is required: Tick here if you consent to receive these: [ ]." Two separate boxes. The first box covers the customer-exception for similar-services reminders (and captures the right to object). The second box captures explicit opt-in consent for broader marketing. This one line on the job card cures the single biggest POPIA compliance gap in the motor industry, and takes five seconds for the customer to complete.

4. Security safeguards — customer data out of personal devices and shared consumer-cloud

The Google Sheet has to go. Customer data belongs in a workshop management system with individual user accounts, access controls by role, session audit logging, and no ability to sync to a personal Gmail account. Access is revoked the day a staff member leaves. Printed customer registers are not left on the counter. Nothing is forwarded into a staff or family WhatsApp group. Physical devices that hold customer data are password-protected and (for cloud systems) behind multi-factor authentication. For a small workshop, this is a matter of using the right software rather than building it — but the change has to be made, and the change has to be documented in the privacy policy as part of the "security safeguards" condition.

5. Breach response plan — one page, rehearsed, with the Regulator portal bookmarked

Write a one-page response plan and pin it to the wall behind the counter: (a) who is informed of the suspected breach first (Information Officer), (b) how the breach is contained (revoke access, change passwords, secure physical copies), (c) assessment of scope and risk (who is affected, what data, what harm), (d) notification of the Regulator as soon as reasonably possible via inforegulator.org.za/notification-of-security-compromises/, (e) notification of affected data subjects in clear language, (f) recording of the incident in the internal register. Section 22 considers the existence of such a plan as evidence of good-faith compliance; its absence, when a breach occurs, is weighed against the organisation at sanction stage.

What happens now in Priya's file

Priya responds to the 21-day notice with the assistance of an attorney familiar with POPIA (about R12,000 to R25,000 in fees for the investigation phase). Her response acknowledges the incident, provides the requested information, details the immediate remedial steps (Google Sheet removed, workshop system with access control implemented, Information Officer registered with the Regulator, privacy policy published, job card updated with the section 69 notice, breach response plan posted), and proposes an agreed schedule for compliance audit within three months.

The Regulator's Enforcement Committee considers the file. Aggravating factors: 3,400 individuals affected, sensitive identifiers (SA ID numbers) in the dataset, eight years of unlawful direct marketing without consent, delayed notification. Mitigating factors: first-time enforcement, cooperation once engaged, full and rapid remediation, small-business scale, no demonstrable financial harm to complainants beyond distress. Published enforcement outcomes in comparable small-business matters have included enforcement notices with compliance orders (no fine), and — where aggravating factors are pronounced — administrative fines in the R100,000 to R1 million range.

Priya's likely outcome: an enforcement notice requiring specific compliance steps within a fixed period (typically 60 days), an administrative fine on the lower end of the scale (R250,000 to R500,000), and publication of the finding on the Information Regulator's website with the workshop named. Attorney fees on top: around R25,000 to R45,000 through to conclusion. Direct cost: R275,000 to R545,000. Indirect cost: the Google-indexed Regulator finding that every prospective customer can find for years afterwards.

Cost of having registered the Information Officer, published a one-page policy, added a section 69 tick-box to the job card, moved customer data off the Google Sheet, and pinned a breach response plan to the wall? Two afternoons of work. No ongoing cost. No fine. No public finding.

The workshop system and the job card you are already using

Mekavo captures customer personal information inside a system with individual user accounts, role-based access, revocable on one click, and audit-logged — no shared Google Sheets, no Gmail syncing. The intake job card supports the section 69 tick-box pattern (separate consents for service reminders under the customer exception and for broader marketing). The privacy-policy template is generated for the organisation with correct Information Officer details and section 8-25 condition mapping. The breach response plan template is in the help centre alongside the Information Regulator's security-compromise notification portal link. The only things you add outside the system are the laminated policy at the counter and the registered Information Officer entry at inforegulator.org.za — both one-off tasks.

POPIA has been fully in force since July 2021. The Information Regulator's enforcement tempo is rising. Direct marketing is now an active priority area. The motor industry — and particularly small independent workshops with deep customer lists and casual WhatsApp habits — sits in the Regulator's sightline. What a workshop can change is the way it handles the data on the laptop, the job card, the SMS reminder, and the inevitable first breach when someone on the team slips. Five measures. Set them up once. Keep them running on every job.

Official resources

Last updated: April 2026. The statute and enforcement data cited were current at the date of publication. For an active Information Regulator investigation, a suspected data breach under assessment, or a direct-marketing programme that needs remediation before it attracts a complaint, consult an attorney admitted to practise in the applicable jurisdiction with data-protection experience before responding to the Regulator or proceeding with customer communications.

Note on scenarios: The shops, names, addresses, and case reference numbers in this article are fictional and used solely to illustrate how the cited statutes operate in practice. Any resemblance to actual shops, owners, or events is coincidental. The statutes, regulations, and agency procedures cited are real and current as of publication.