As we navigate the legal reality of 2026, many South African organisations are realising a hard truth: you cannot have POPIA compliance without robust GRC (Governance, Risk Management and Compliance). For too long, data privacy and GRC have lived in silos. The Data Privacy team worries about consent and data retention, while the GRC team worries about access roles and Segregation of Duties (SoD). EPI-USE Labs and our Partner Soterion bridge the gap between theoretical compliance and technical enforcement, tackling role creep, over-authorised users, SoD conflicts, and access risk. By automating access control, masking, and monitoring, organisations can align SAP authorisations with POPIA and GDPR, removing the 'silent risk' and improving data privacy, POPIA and GDPR compliance.
SUMMARY: In South Africa in 2026, POPIA compliance in SAP is impossible without robust GRC (Governance, Risk Management and Compliance). Data privacy is the ‘what’, GRC is the ‘how’: weak SAP GRC means a risk of lack of compliance with POPIA. EPI-USE Labs and our Partner Soterion bridge the gap between theoretical compliance and technical enforcement, tackling role creep, over-authorised users, SoD conflicts, and access risk. By automating access control, masking, and monitoring, organisations can align SAP authorisations with POPIA and GDPR, removing the 'silent risk' and improving data privacy, POPIA and GDPR compliance.
As we navigate the legal reality of 2026, many South African organisations are realising a hard truth: you cannot have POPIA compliance without robust GRC (Governance, Risk Management and Compliance).
For too long, data privacy and GRC have lived in silos. The Data Privacy team (Legal/Compliance) worries about consent and data retention, while the GRC team (IT/Audit) worries about access roles and Segregation of Duties (SoD).
In the high-stakes environment of 2026, where the Information Regulator is actively issuing infringement notices, these silos are a liability. Together, EPI-USE Labs and Soterion are bridging this gap, helping SAP users move from ‘theoretical compliance’ to ‘technical enforcement’.
The intersection: Where access meets data privacy
In SAP, data privacy is ultimately an access problem. POPIA’s Condition 7 (Security Safeguards) mandates that organisations must take ‘appropriate, reasonable technical and organisational measures’ to prevent loss or unauthorised access to personal information.
If your SAP GRC is weak, your POPIA compliance is non-existent.
Here are a few examples:
| The over-authorised user | The masking paradox |
The identity crisis |
|---|---|---|
| A user with broad access roles can view HR master data (PA20) when they only need to process Payroll. This is a POPIA violation. | Tools like Data Secure from EPI-USE Labs can mask sensitive data, but if GRC controls allow backend bypass (SE16), the privacy control fails. | Without proof of who accessed PII at any given second, you cannot meet POPIA’s Access to Information requirements. |
Data privacy is the 'what’; GRC is the 'how'
Data privacy defines the rules of engagement (such as ‘Only HR managers can see employee bank details’). GRC is the engine that enforces those rules within SAP.
Through the partnership of Soterion’s GRC expertise and EPI-USE Labs’ data management prowess, organisations can finally see the full picture. It isn’t enough to know that data is sensitive; you must know exactly who can reach it and whether that access is justified by their business role.
GDPR vs POPIA: What SAP users need to know
Many South African organisations are familiar with POPIA, but may also need to consider GDPR for international operations. The following table highlights key differences and similarities, focusing on SAP implications (based on a comparison document from dataguidance.com):
| Aspect | POPIA (South Africa) | GDPR (EU) | SAP Implication |
|---|---|---|---|
| Personal Data | Any information relating to an identifiable person | Any information relating to an identifiable person | Must secure HR, customer, vendor, and PII tables |
| Consent | Required for processing unless another lawful basis applies | Explicit consent required, plus lawful processing bases | SAP workflows may need consent logging |
| Data Breach Notification | Notify Information Regulator as soon as reasonably possible | Notify Data Protection Authority within 72 hours | SAP logging and alerts must track access and breaches |
| Cross-Border Transfer | Only to countries with adequate protection | Only to countries with adequate protection or safeguards | SAP interfaces with external systems must be monitored |
| Data Minimisation | Collect only necessary personal data | Collect only necessary personal data | SAP role and field-level restrictions must be enforced |
| Access Controls | Condition 7 – security safeguards | Art. 32 – security of processing | SAP GRC controls, SoD enforcement, and masking critical data |
This table shows that POPIA and GDPR share many common principles like security, consent, and minimisation. For SAP users in South Africa operating across borders, aligning your GRC strategy to cover both frameworks ensures compliance on both fronts.
The danger of ‘role creep’ in 2026
Over time, SAP users collect access rights like unnoticed clutter. Many long-term employees now have ‘Super User’ capabilities they don’t even realise they have.
In the event of a breach, the Information Regulator won’t just look at the hacker; they will look at why the compromised account had such broad access in the first place. Soterion provides the visibility to identify these dangerous permission overlaps before they become a headline.
Sustainable compliance requires automation
With the cost of a South African data breach now averaging R44.1 million, manual spreadsheets and annual access reviews are no longer enough.
Sustainable compliance in 2026 requires an automated feedback loop:
| Identify where PII lives (EPI-USE Labs). | Govern who can see it and remove excess risk (Soterion). | Protect it via masking and scrambling in non-production (EPI-USE Labs). |
Is your SAP access creating a POPIA risk?
Most organisations think they have control over their SAP access, but the reality is often much messier. ‘Out-of-the-box’ SAP roles are notoriously broad, and custom roles often hide significant POPIA risks.
To help you move from uncertainty to provable compliance, start with a clear-eyed look at your current landscape.
Highlight the gaps in your SAP access control
EPI-USE Labs has partnered with Soterion to offer a specialised GRC demo designed to highlight the gaps in your SAP access control. This demo gives you:
- visibility into your current Access Risk
- identification of Segregation of Duties (SoD) conflicts that could lead to data theft
- a roadmap to aligning your SAP authorisations with POPIA’s Security Safeguards.
Get started and ensure your GRC and Privacy strategies are working in harmony. Don’t let your SAP access be the 'silent risk' that leads to a R10 million fine.
Book your Soterion GRC demo and reduce your risks of non-compliance.
This blog was co-written by Chené Ferreira and Amy Breedt, both working as Regional Marketers for the EPI-USE Labs Middle East and Africa (MEA) region.
Chené Ferreira
With a strong background in digital marketing, events, and communications, Chené is passionate about crafting marketing campaigns, analysing social media, writing creative copy, and planning events. Recently entering the SAP industry, she currently serves as a Regional Marketer for the MEA region.