TL;DR — The Quick Answer
POPIA (Protection of Personal Information Act) has been fully enforceable since July 2021. Employers must get consent before collecting candidate data, store it securely, delete it when no longer needed, and allow candidates to access their information. Non-compliance penalties: up to R10 million or imprisonment.
Key Facts:
- POPIA fully enforceable since 1 July 2021
- Maximum penalty: R10 million fine or imprisonment
- Key requirements: consent, purpose limitation, data minimisation, security
- ShiftMate is POPIA-compliant by design
POPIA (the Protection of Personal Information Act) has been fully enforceable since July 2021, and it directly impacts how South African employers collect, store, and process candidate personal information during hiring. Non-compliance carries penalties of up to R10 million or imprisonment.
This guide explains what POPIA means for your hiring process in plain language. For POPIA-compliant hiring platforms, see our guide to posting jobs for free in South Africa.
What POPIA Requires During Hiring
Consent
You must have clear consent before collecting candidate personal information. This includes CVs, ID documents, contact details, and any assessment results. The consent must be specific — you can't use data collected for hiring for marketing purposes.
Purpose Limitation
Candidate data can only be used for the stated purpose — evaluating them for a specific role. You can't share CVs with other departments or companies without fresh consent.
Storage Limitation
You can't keep candidate data indefinitely. Once the hiring process is complete, unsuccessful candidates' data should be deleted unless you have consent to retain it for future opportunities. Best practice: delete unsuccessful candidate data within 6 months.
Data Security
Candidate data must be stored securely. Spreadsheets of applicant details shared via email or WhatsApp groups are a POPIA violation waiting to happen.
Common POPIA Violations in Hiring
- Emailing CVs between managers without candidate consent
- Storing candidate data in unencrypted spreadsheets
- Keeping CVs from unsuccessful candidates indefinitely
- Sharing candidate details with third parties without consent
- Collecting more data than needed for the role (e.g., asking for ID numbers before making an offer)
How ShiftMate Handles POPIA Compliance
ShiftMate was built in South Africa with POPIA compliance as a core design principle, not an afterthought:
- Consent management: Built into the platform at every data collection point
- Secure data storage: AES-256-GCM encryption for sensitive data
- Purpose limitation: Data used only for matching and hiring
- Automatic data lifecycle: Platform manages retention and deletion
- No data leakage: Candidate information stays within the secure platform
By using ShiftMate, you eliminate most POPIA compliance risks associated with hiring — because the platform handles data protection for you.
Register free on ShiftMate — POPIA-compliant hiring built in, not bolted on.
