Home Could This Happen In Your Business? Information Visibility
Information Visibility
SCENARIO

You Receive a POPIA Information Request Tomorrow

THE SCENARIO

A client contacts you and requests a complete account of what personal information your business holds about them, where it is stored, who has access to it, and whether it has ever been shared with any third party. Under POPIA, you are required to respond. You have five business days. The question is: can your business actually answer these questions?

1
How This Typically Happens

Most businesses do not have a centralised record of what personal information they hold, where it is stored, or who can access it. Client information is typically spread across email inboxes, spreadsheets, CRM systems, accounting software, shared drives and possibly WhatsApp - often with no single person able to provide a complete and accurate picture. Producing a reliable answer requires finding and reviewing information across all of these sources.

2
Why Businesses Often Miss the Warning Signs

Information access requests are uncommon enough that most businesses have never prepared to respond to one. There is no designated person responsible, no record of where personal information is held, and no process for producing a complete answer within a tight timeframe. The absence of preparation only becomes visible when a request actually arrives.

3
Potential Consequences
Inability to respond accurately or within the required timeframe
A formal complaint from the client to the Information Regulator
An investigation by the Information Regulator into your data processing practices
Reputational damage if the complaint becomes public or affects client relationships
Legal and management costs associated with responding to a formal regulatory process
4
Questions Management Should Ask
?
Does your business have a designated Information Officer responsible for handling POPIA-related requests?
?
Do you know where all personal information about clients and employees is currently stored?
?
Could you produce a complete record of what information you hold about a specific client within five business days?
?
Do you have a written procedure - even a simple one - for handling information access requests?
5
Practical Steps to Improve Visibility
1
Appoint a designated Information Officer - even in a small business, one person should own responsibility for POPIA-related requests
2
Create a simple inventory of where you hold client and employee personal information: email system, CRM, shared drive, accounting software, any other platform
3
Draft a basic response procedure: who receives the request, who gathers the information, who reviews and signs off the response
4
Test the process informally: if a client requested their information today, trace through how you would respond and how long it would take
🔗
RELATED RISK
Would You Know If Sensitive Information Left Your Business?
Information leaves organisations every day - through email, personal cloud storage, messaging apps and AI tools. In most businesse...
Could This Scenario Happen In Your Business?

ComplyBar helps businesses find and understand hidden information risks before something goes wrong.

Built for POPIA support, AI governance, data leak prevention, employee risk awareness and audit evidence.

Start Your Risk Assessment Download Free Checklist
From R750 • Delivered online • No commitment required
More Scenarios
AI Tool Risk
An Employee Pastes Customer Information Into ChatGPT
Read scenario →
Human Risk
An Employee Emails Confidential Information to the Wrong Person
Read scenario →
Access Risk
A Former Employee Still Has Access to Company Files
Read scenario →
← View all business scenarios