Why most South African companies running SAP would fail a POPIA audit in 2026
By Amy Botha | 16 April 2026
The reality of SAP data privacy compliance in South Africa in 2026 is that under the Protection of Personal Information Act (POPIA), the Information Regulator now wants to see automated logs of data deletion. SAP landscapes are a compliance ‘powder keg’ because of five primary reasons: Production data in non-production, ECC ghost systems, data graveyards, the cloud shared responsibility trap, and inconsistent masking. The cost of non-compliance is high, so you need to be able to prove that you are compliant with POPIA.
SUMMARY: The reality of SAP data privacy compliance in South Africa in 2026 is that under the Protection of Personal Information Act (POPIA), the Information Regulator now wants to see automated logs of data deletion. SAP landscapes are a compliance ‘powder keg’ because of five primary reasons: Production data in non-production, ECC ghost systems, data graveyards, the cloud shared responsibility trap, and inconsistent masking. The cost of non-compliance is high, so you need to be able to prove that you are compliant with POPIA.
For years, South African enterprises have operated under a ‘Compliance Mirage’. In 2021, the focus was on appointing Information Officers and drafting privacy policies. By 2024, the focus shifted to basic encryption. But in 2026, the Information Regulator has stopped asking if you have a policy; they are now asking to see the automated logs of your data deletion.
Despite best intentions, the majority of South African organisations running SAP are currently sitting on a compliance ‘powder keg’. If an auditor or a forensic investigator walked into your SAP environment today, here is why they may find you non-compliant:
What are 5 reasons you may fail your POPIA audit?
1. The Sandbox secret: Production data in non-production
This is the most common failing. While Production environments are usually fortified, QA, Development, and Sandbox systems often contain exact copies of live Production data.
| The risk |
The POPIA reality |
|---|---|
| Developers and third-party consultants often have broad "SAP_ALL" type access in these environments. | Under Section 19 (Security Safeguards), you are legally required to prevent unauthorised access. Using real customer IDs or bank details for testing, without scrambling or masking, is a direct violation of Privacy by Design. |
2. The ECC ghost systems
As companies rush toward S/4HANA, many leave their old SAP ECC systems running as archives. These systems are often ‘unmanaged’ from a data privacy perspective.
| The risk |
The POPIA reality |
|---|---|
| These legacy environments are rarely patched against modern vulnerabilities (like the exploits seen in late 2025) and often contain decades of PII. | If you aren't applying the same rigorous access and retention controls to your legacy ‘read-only’ data as you do to your live data, you are maintaining a massive, unmonitored attack surface. |
3. The data graveyard (unmanaged retention)
POPIA Section 14 is clear: you must destroy or de-identify personal information once the purpose for which it was collected has expired.
| The risk |
The POPIA reality |
|---|---|
| SAP systems are designed to hold data forever. Most SA companies have never run a successful, automated ‘data shedding’ project. | Holding onto 15-year-old employee records or 10-year-old ‘prospect’ data isn't just a storage issue; it’s a legal liability. In 2026, "we might need it one day" is no longer a valid legal defense for data retention. |
4. The Cloud shared responsibility trap
With the massive shift with RISE with SAP to cloud-hosted environments, many South African IT teams have mistakenly assumed that ‘SAP handles the security now’.
| The risk |
The POPIA reality |
|---|---|
| While SAP or the hyperscaler (Azure/AWS/GCP) secures the infrastructure, the customer is still 100% responsible for the data and access layers. | If a user in your cloud environment over-shares a report containing 50,000 ID numbers, the Information Regulator will fine you, not the cloud provider. |
5. Inconsistent masking: The front door fallacy
Many organisations have implemented UI masking on their web portals but neglected the SAP backend.
| The risk |
The POPIA reality |
|---|---|
| A user might see a masked ID number on a Fiori app, but if they can log into the SAP GUI and run a simple table download (SE16N), they can export the entire database in clear text. | Compliance must be consistent across all layers. Inconsistent masking is a ‘technical gap’ that the Regulator specifically looks for during post-breach investigations. |
The cost of non-compliance
In 2025, South Africa saw a 40% increase in reported data breaches, with an average of 284 notifications per month. The Information Regulator is no longer ‘advising’, they are issuing R5 million fines to those who ignore Enforcement Notices.
But as the major South African retailer and Department of Justice cases have shown, the R10 million fine is just the tip of the iceberg. The real cost lies in:
- Forensic Investigation Costs: Averaging millions per incident.
- Reputational churn: Customers in 2026 are highly privacy-aware, and will leave brands that fail to protect their data.
- Operational downtime: A system-wide SAP lockdown during a breach can cost an enterprise millions per hour.
The bottom line: Move to provable compliance
In 2026, compliance is not a document in a drawer; it is a technical reality in your code. If you cannot prove that your non-production data is scrambled, your retention rules are automated, and your access is dynamically masked, you aren't POPIA ready.
Get POPIA compliant: Find out about our SAP data privacy assessment service
This blog was co-written by Chené Ferreira and Amy Breedt, both working as Regional Marketers for the EPI-USE Labs Middle East and Africa (MEA) region.
Amy Botha
With a background in digital marketing and communications, Amy is adept in market analysis and trend identification, and is enthusiastic about implementing lead generation strategies and marketing campaigns. New to the SAP industry, she is currently the Regional Marketer for the MEA region.