POPIA compliance in SAP: The silent risk you can’t afford to ignore in 2026

SUMMARY: In South Africa, the legal reality has shifted from theoretical compliance to aggressive enforcement of the Protection of Personal Information Act (POPIA). The Information Regulator has significantly ramped up its activity. Many companies running SAP remain dangerously exposed in areas such as non-production data copies, legacy ECC systems, overexposed personal data, poor access controls, inconsistent masking, and unmanaged retention. SAP customers need to implement tangible measures like automated data scrambling, context-aware masking, and ILM to avoid risks of non-compliance.

In 2021, South African organisations scrambled to meet the initial 'grace period' deadline for the Protection of Personal Information Act (POPIA). For many SAP-centric enterprises, this resulted in a ‘tick-box’ approach: appointing an Information Officer, drafting a privacy policy, and perhaps implementing basic SAP authorisations.

Fast forward to January 2026, and the legal reality has shifted from theoretical compliance to aggressive enforcement. The Information Regulator has transitioned from an advisory body to a high-functioning enforcement machine. As we look at the current landscape, the question is no longer, "Are we compliant?" but rather, "Can we prove our compliance is sustainable and resilient against a breach?".

The mature enforcement landscape of 2026

In the last year alone, the Information Regulator has significantly ramped up its activity. In late 2025, the Regulator issued multiple Infringement Notices following a failure by several public and private bodies to comply with prior Enforcement Notices. Notable fines, such as the R5 million administrative fine issued to the Department of Basic Education, have set a clear precedent: the grace period for ‘trying’ is over.

One of the most sobering lessons of 2025/2026 is the recurring nature of breaches. A major South African retailer experienced a second significant data security incident in late 2025 involving a third-party service provider, affecting customer communication data. The incident reinforces a critical reality: privacy is not a project; it is a continuous state of operation. Organisations that treated POPIA as a once-off compliance exercise are now seeing legacy gaps exposed by an increasingly sophisticated cyber-threat landscape.

SAP blind spots: Where risk hides

Despite years of awareness, many SAP clients remain dangerously exposed in six specific areas:

1) Non-production environments: Production systems are usually locked down, but QA, Development, and Sandbox environments often contain full, unprotected copies of live production data. These are the ‘soft underbelly’ of the SAP landscape.

2) Legacy ECC systems: As organisations migrate to S/4HANA, old ECC systems are often left running as ‘read-only’ archives. These systems frequently lack modern security patches and the rigorous access controls of the new environment.

3) Overexposed personal data: ‘Broad’ authorisations mean too many users can see full South African ID numbers, bank details, and salary info when they only need a partial view to perform their jobs.

4) Poor access controls: Stale user accounts and ‘role creep’ mean that a single compromised set of SAP credentials can grant an attacker keys to the entire kingdom.

5) Inconsistent masking: If you are masking data in your web front-end but leaving the backend SAP tables readable, you haven't secured the data; you’ve just hidden it from the casual user.

6) Unmanaged retention rules: POPIA (Section 14) is explicit: personal information must not be retained any longer than necessary. Many SAP systems are ‘data graveyards’, holding 20 years of employee and customer data that should have been purged or archived long ago.

Cybersecurity: The 2026 threat reality

Data privacy and security are now inextricably linked. In 2025, IBM reported that the average cost of a data breach in South Africa reached R44.1 million. While this is a slight decrease from previous years due to AI-enabled defences, the cost for the financial sector remains as high as R70.2 million.

However, the fine is often the smallest part of the damage. In the current South African context, the reputational damage and lost business (averaging R13.1 million per breach) far outweigh the R10 million maximum POPIA fine.

The 2026 Reality: A data breach in your SAP system isn't just a compliance failure; it's a catastrophic business disruption. With nearly 2,000 security compromises reported to the Regulator in the first half of the 2025/26 financial year – a 40% increase – the threat is no longer ‘if’, but ‘when’.

Moving to provable and sustainable compliance

To survive a POPIA audit or a forensic investigation in 2026, SAP customers must move beyond the spreadsheet. You need tangible, technical measures that prove you are protecting data by design and by default.

• Automated data scrambling: In non-production, data must be rendered unrecognisable. This isn't just good practice; under POPIA’s security safeguards (Section 19), it is a necessary technical measure to prevent unauthorised access to identifiable data during testing.
• Context-aware masking: Implement UI masking that dynamically hides sensitive fields based on the user's role, location, and the sensitivity of the data (such as masking an ID number unless the User is in Payroll).
• Right to Erasure and Retention: Implement automated ILM (Information Lifecycle Management) to ensure that once a customer or employee leaves, their data is systematically deleted or de-identified.

Is your SAP system a 'silent risk'?

Ask yourself these three questions:

• If the Information Regulator walked into your office today, could you show them a report of every SAP user who has accessed a specific customer’s ID number in the last 90 days?
• Is there a single developer or tester who has access to 'real' bank account numbers in your QA environment?
• Do you have a documented, automated process for deleting PII from your SAP system once the legal retention period expires?

If the answer to any of these is no, your organisation is carrying a silent risk that could become a loud, expensive reality.

2026 is the year of proof, not promises

POPIA compliance in 2021 was about preparation. POPIA compliance in 2026 is about evidence. It’s about being able to demonstrate, technically, operationally, and defensibly, that your SAP environment protects personal information by design and by default.

The Information Regulator is no longer asking whether you have a policy. It is asking whether your controls work. Whether your monitoring is continuous. Whether your retention rules are enforced automatically. Whether your non-production systems are safe. Whether you can respond within hours, not weeks, to a breach or access request.

SAP systems sit at the core of your organisation’s most sensitive data: payroll, banking details, ID numbers, medical information, supplier records, and customer histories. If those systems are not actively governed, continuously monitored, and technically secured, they are not just operational platforms, they are latent liability.

We offer a comprehensive data privacy assessment to identify gaps in your POPIA compliance and develop a sustainable, defensible path forward.

Read blog: SAP data privacy: Why is an assessment your first step to compliance?

This blog was co-written by Chené  Ferreira and Amy Breedt, both working as Regional Marketers for the EPI-USE Labs Middle East and Africa (MEA) region.