Across hundreds of assessments of South African businesses, the same information governance risks appear again and again. These are not exotic edge cases. They are everyday vulnerabilities that exist in most organisations and that regulators, auditors and insurers are increasingly scrutinising.
Most South African organisations have never formally classified their information. Without classification, staff cannot make good decisions about how to handle data — what can be emailed, what needs encryption, what can be shared with AI tools. Classification is the foundation of every other governance control.
Mitigation: Implement a four-tier classification framework (Public / Internal / Confidential / Restricted) and train all staff on how to apply it.
The rapid adoption of ChatGPT, Copilot and Gemini has outpaced policy development in almost every organisation. Staff are using these tools with personal or client data daily, creating POPIA exposures that many organisations are unaware of.
Mitigation: Audit actual AI tool usage, implement an AI acceptable use policy, and deploy technical controls to prevent prohibited uploads.
Personal Gmail, WhatsApp, Dropbox, WeTransfer and similar tools are widely used for business document sharing in South Africa. Each time a confidential document leaves the organisation’s environment via an unapproved channel, it creates an untraceable data exposure.
Mitigation: Implement approved file sharing tools with audit logging. Block or restrict personal cloud storage on managed devices. Train staff on the risks.
POPIA requires every organisation to appoint and register an Information Officer with the Information Regulator. Many organisations have either not made the appointment or have appointed someone without giving them any authority or resources.
Mitigation: Appoint a qualified Information Officer, register them with the Information Regulator (regulateaza.org.za), and ensure they have the authority and tools to do their job.
Chaotic file systems make it impossible to respond to POPIA subject access requests, conduct proper audits, or apply retention schedules. When you cannot find a document without opening dozens of files, you cannot govern your information effectively.
Mitigation: Implement a documented naming standard, conduct a repository assessment to identify the worst areas, and prioritise remediation by risk level.
Staff are the primary vector for information governance failures. They send the wrong document to the wrong recipient, use unapproved tools, misclassify sensitive files, and make poor decisions because they do not understand the rules or the risks.
Mitigation: Implement role-based IG training, not just annual POPIA awareness. Use real examples from your own industry. Require acknowledgement of policies.
POPIA requires that personal information not be kept longer than necessary for its original purpose. Most organisations have no formal retention schedule and keep everything indefinitely — increasing their POPIA exposure with every day that passes.
Mitigation: Develop a retention schedule covering all major record categories. Implement a process for periodic deletion of expired records. Document your decisions.
Organisations share personal information with dozens of third-party service providers — payroll companies, cloud storage providers, marketing platforms, accountants, IT support firms. POPIA requires written data processing agreements with all of them. Most organisations have not done this.
Mitigation: Compile a data processor register. Review contracts to ensure POPIA-compliant data processing agreements are in place. Assess the security posture of key processors.
POPIA requires organisations to notify both the Information Regulator and affected data subjects of a data breach within a reasonable time. Most organisations have no incident response plan, no breach notification template, and no designated person responsible for managing incidents.
Mitigation: Develop a POPIA incident response plan. Define what constitutes a reportable breach. Appoint a breach coordinator. Test the plan annually.
Where information governance is treated as an IT or legal matter rather than a leadership priority, it inevitably lacks the budget, authority and organisational attention it needs. The POPIA Regulator holds responsible parties (which includes executives and directors) personally accountable.
Mitigation: Implement board-level governance reporting. Present governance risk scores and remediation progress to leadership quarterly. Treat IG as a business risk, not a compliance checkbox.
Understanding these risks is the starting point. Measuring where your organisation stands on each of them requires a structured assessment. A 14-day information governance assessment covers all ten risk categories and delivers an evidence-based risk score with prioritised recommendations.
ComplyBar helps businesses identify hidden risks in how information, AI tools, email, documents and cloud systems are used. A structured assessment gives management the visibility to know - not just assume.
Built for POPIA support, AI governance, data leak prevention, employee risk awareness, information governance and audit evidence.