The Protection of Personal Information Act (POPIA) applies to every South African restaurant that collects customer data — which is essentially every restaurant running a loyalty programme, WiFi captive portal, or online ordering system.

Non-compliance can result in fines of up to R10 million. Here is a practical guide to getting it right.

What data do restaurants collect?

More than you think. Names, phone numbers, email addresses, order history, payment details, dietary preferences, delivery addresses, WiFi login information, and even CCTV footage all fall under POPIA.

The first step is auditing exactly what personal information you collect, where it is stored, and who has access to it.

Consent and purpose

Under POPIA, you must have a lawful basis for processing personal information. For restaurants, this is typically consent (the customer opts in) or legitimate interest (you need the data to fulfil an order).

Be transparent: your privacy notice should clearly state what data you collect, why, and how long you keep it. Avoid burying this in 20-page terms and conditions that nobody reads.

Practical steps

Use a platform like Tafura that has POPIA compliance built in — data encryption, consent management, automatic data retention policies, and the ability to honour data subject access requests.

Train your staff on data handling: do not leave customer details on printed receipts, do not share loyalty data between locations without consent, and always use secure channels for communication.