The Information Regulator has not authorised any certification scheme — businesses relying on third-party “Certified” badges are left exposed to significant legal and financial risk.
ATG Digital, a provider of access control and data compliance solutions for gated environments, has published an alert to South African organisations. It warns about a growing and potentially costly misconception: that terms like “POPIA Certified” and similar certificates do not confer any legal protection under the Protection of Personal Information Act 4 of 2013 (POPIA).
The Information Regulator of South Africa—the only body empowered to monitor and enforce POPIA compliance—has not created, endorsed, or authorised any certification system. There is no approved process or official stamp that declares a business “POPIA certified.” Leading data protection law firm Michalsons has stated publicly on its website that no one can currently provide a valid POPIA certification, as the Act specifies no process for it, and the Information Regulator has not established one.
“The danger is real,” said the ATG Digital compliance team. “When a business believes it is ‘certified’, it often stops doing the actual work of compliance. Policies go unreviewed. Staff are not trained. No Information Officer is appointed. When the Information Regulator comes knocking—or worse, when a data breach occurs—that certificate offers zero protection.”
Compliance vs “Certification”: a Critical Distinction
POPIA compliance means an organisation is actively fulfilling what the law requires:
- Lawfully collecting personal information
- Protecting it appropriately
- Giving data subjects control over their information
- Governing the entire process responsibly on an ongoing basis
Compliance is demonstrated through policies, practices, people, and conduct—not through a piece of paper.
Red Flags For Businesses
ATG Digital advises organisations to be cautious of the following:
- “Guaranteed” certification. No legitimate advisor can promise this.
- Official-looking certificates from vendors. A product can be designed with privacy in mind, but a vendor certificate cannot replace an organisation’s own compliance programme.
- One-and-done promises. POPIA compliance is ongoing. Any service claiming permanent compliance via a single purchase or training session is not being truthful.
Specific Implications for Gated Access Operators
For businesses operating in the access control space—estates, office parks, and warehousing facilities—the compliance picture is particularly well defined.
The draft Code of Conduct for Gated Access translates POPIA’s conditions for lawful processing into specific, operational requirements for access-controlled environments, covering purpose, data minimisation, retention, and safeguards at the point of capture. Operators in this sector are not left to interpret broad privacy principles: the Code does that work for them.
The Hallmarks of Genuine Compliance
POPIA compliance involves real, ongoing work. ATG Digital recommends organisations focus on the following priority steps:
- Appoint and register an Information Officer with the Information Regulator via the eServices Portal (a non-negotiable under Section 55 of POPIA).
- Review and update policies, including privacy notices, PAIA manuals, and internal data processing agreements.
- Train staff regularly. Employees are simultaneously a compliance asset and a compliance risk.
- Build an ongoing governance programme with regular gap analyses, policy reviews, and a compliance roadmap that evolves with the business.
Penalties for non-compliance under POPIA include fines of up to R10 million and imprisonment of up to 10 years.
The Information Regulator is not waiting. Businesses that have mistaken a vendor certificate for compliance need to act now, before a breach or an investigation makes the distinction unavoidable. ATG Digital actively monitors developments in POPIA legislation and enforcement, engaging directly with its access control and visitor management clients to ensure their compliance keeps pace with the law.
