Home

Services

Identity checks

South Africa ID

Instant SA ID verification via Home Affairs

Nigerian ID Verification

NIN, BVN, Virtual NIN and voter ID checks

KYC Bundle

Bundled identity check for onboarding

KYC Verification

Know Your Customer solutions

Biometric & document

Face Match

Selfie to ID photo verification

Document Verification

ID document authentication & OCR

Compliance & business

AML/PEP Screening

Global sanctions & compliance checks

Free FICA Toolkit

RMCP, POPIA and CDD tools

Bank Account Verification

Real-time bank account ownership checks

Company Verification

CIPC business & director checks

Status checks

Check Marital Status

Focused marital status check for SA IDs

Alive / Deceased Status Verification

Check alive or deceased status by SA ID number

Vehicle & licence

Licence Verification

Driver's licence authentication & decode

Vehicle Lookup

Number plate & VIN vehicle specs lookup

Trace & regional

Consumer Trace

Locate people by SA ID for fraud prevention

Phone Number Trace

Reverse-lookup a SA mobile for fraud prevention

Africa Verification

Verify identities across supported African countries

Enterprise

Compliance Solutions

KYC, FICA & POPIA compliance for SA

API Integration

REST API for high-volume automation

Volume Pricing

Custom rates for high-volume usage

Cross-Border KYC

POPIA compliant international verification

Partner Program

Reseller & integration partnerships

White Label

Your brand, our technology

API

API Documentation

REST API reference and guides

API Analytics

Monitor your API usage and performance

API Keys

Manage your API credentials

Company

About Us

Our story and mission

Contact

Get in touch with our team

Pricing

Home

Services

Identity checks

South Africa ID Nigerian ID Verification KYC Bundle KYC Verification

Biometric & document

Face Match Document Verification

Compliance & business

AML/PEP Screening Free FICA Toolkit Bank Account Verification Company Verification

Status checks

Check Marital Status Alive / Deceased Status Verification

Vehicle & licence

Licence Verification Vehicle Lookup

Trace & regional

Consumer Trace Phone Number Trace Africa Verification

Enterprise

Compliance Solutions API Integration Volume Pricing Cross-Border KYC Partner Program White Label

API

API Documentation API Analytics API Keys

Company

About Us Contact

Pricing

Back to FICA Toolkit

POPIA Compliance Checklist

Comprehensive checklist for Protection of Personal Information Act compliance

Use this POPIA (Protection of Personal Information Act) checklist to track the practical privacy steps your organisation should review.

Interactive tool

POPIA (Protection of Personal Information Act) checklist tool

Tick off the items you have handled. Your progress is saved in this browser so the checklist is usable, not just a reading page.

Progress

0/12

Responsible person and records

Confirm who is acting as the Information Officer.Register the Information Officer with the Information Regulator if required.Keep a list of the personal information your business collects and why you collect it.

Lawful collection

Record the lawful reason for collecting each type of personal information.Tell customers what information you collect, why you need it and who may receive it.Only collect the personal information needed for the stated purpose.

Security and suppliers

Limit staff access to personal information to people who need it for their work.Use reasonable security safeguards such as passwords, access controls and secure storage.Check that suppliers who handle personal information have suitable security obligations.

Requests and breaches

Create a process for access, correction and deletion requests.Create a breach response plan and notification process.Keep records of requests, responses, breaches and actions taken.

VerifyNow services that support this checklist

VerifyNow helps with verification evidence and data-quality checks. It does not replace your POPIA (Protection of Personal Information Act) policies, breach process, privacy notices or legal review.

Keep identity records accurate

Use this when you need to verify a South African identity number and keep a clear verification record.

VerifyNow service

ID + Photo (Real-Time)

Run check Learn

Reduce incorrect business records

Use this when your organisation collects company registration details during onboarding or account reviews.

VerifyNow service

CIPC Company Match

Run check Learn

Check documents you collect

Use this if your flow requires customers to upload identity documents and you need evidence that the document was checked.

VerifyNow service

Document Authenticate

Run check Learn

Support address or contact data quality

Use this only where you have a lawful reason to check address or contact history for the specific customer interaction.

VerifyNow service

Consumer Trace

Run check Learn

How to add VerifyNow to a privacy-safe flow

1Decide what personal information is truly needed for the customer action, then remove fields you do not need.
2Show the customer your privacy notice and capture consent where consent is the reason you rely on.
3Run only the required VerifyNow check, such as ID + Photo (Real-Time), company verification, Document Authenticate or Consumer Trace.
4Store the report reference and result securely with access limited to staff who need it for their work.
5Set a retention period, review date and deletion process for the verification record.
6Handle privacy policies, data subject requests, breach notices and supplier contracts in your governance process outside the VerifyNow check itself.

1. Information Officer Appointment and Registration

Appoint an Information Officer (the head of the organisation is the default Information Officer under Section 1 of POPIA)
Consider appointing Deputy Information Officers where necessary (Section 56)
Register the Information Officer with the Information Regulator
Ensure the Information Officer understands their duties under Section 55 (encouraging compliance, handling requests, and working with the Information Regulator)
Develop and publish a PAIA manual (Section 51 of the Promotion of Access to Information Act) as required by Section 17 of POPIA

2. Lawful Processing Conditions

POPIA sets out 8 conditions for lawful processing in Chapter 3. Ensure your organisation meets all applicable conditions:

Condition 1 - Accountability: The responsible party must ensure compliance with all conditions (Section 8)
Condition 2 - Processing limitation: Personal information is processed lawfully, minimally, and with consent or another lawful ground (Sections 9-12)
Condition 3 - Purpose specification: Personal information is collected for a specific, explicitly defined, and lawful purpose (Sections 13-14)
Condition 4 - Further processing limitation: Further processing is compatible with the original purpose (Section 15)
Condition 5 - Information quality: Personal information is complete, accurate, not misleading, and updated where necessary (Section 16)
Condition 6 - Openness: Data subjects are made aware of information being collected and the purpose (Sections 17-18)
Condition 7 - Security safeguards: Appropriate technical and organisational measures are in place to protect personal information (Sections 19-22)
Condition 8 - Data subject participation: Data subjects can request access to, correction, or deletion of their personal information (Section 23-25)

3. Data Subject Consent and Notification

Obtain consent that is voluntary, specific, and informed (Section 11)
Ensure consent mechanisms allow data subjects to withdraw consent at any time
Where consent is not the lawful ground, document the applicable justification (e.g., contractual necessity, legal obligation, legitimate interest)
Provide notification to data subjects at the time of collection as required by Section 18 (identity of responsible party, purpose, recipients, rights, etc.)
Maintain records of consent obtained for each processing activity

4. Purpose Specification and Limitation

Document the specific purpose for each category of personal information collected (Section 13)
Ensure personal information is not retained longer than necessary for the purpose it was collected (Section 14)
Establish and document retention periods for each category of personal information
Implement processes to destroy, delete, or de-identify personal information once the purpose has been achieved (Section 14(4))
Assess any further processing against the compatibility test in Section 15

5. Data Quality and Security Safeguards

Take reasonable steps to ensure personal information is complete, accurate, not misleading, and up to date (Section 16)
Implement appropriate technical measures to protect personal information (encryption, access controls, firewalls) (Section 19)
Implement appropriate organisational measures (policies, training, access management) (Section 19)
Ensure operators (third-party processors) have adequate security measures and are bound by contract (Section 21)
Establish a data breach notification process as required by Section 22
Use VerifyNow for identity verification to ensure data quality when collecting and verifying personal information

6. Trans-border Data Transfers

Identify all instances where personal information is transferred outside South Africa
Ensure the recipient country has adequate data protection laws, or that one of the Section 72 exceptions applies
Where relying on consent for trans-border transfers, ensure the data subject is informed of the risks
Implement binding corporate rules or contractual safeguards where applicable (Section 72(1)(a))
Document all trans-border transfers and the legal basis relied upon

7. Record Keeping Requirements

Maintain a register of all processing activities conducted by the organisation
Document the lawful basis for each processing activity
Keep records of all data subject requests and the responses provided
Maintain records of any data breaches and notifications made
Keep records of all consent obtained and any withdrawals of consent
Ensure records are retained in accordance with your documented retention schedule and other applicable legislation (e.g., FICA requires 5 years)