POPIA — Protection of Personal Information Act
POPIA has been actively enforced since July 2021. The Information Regulator of South Africa is actively investigating complaints, issuing enforcement notices, and imposing fines. Any South African company or company processing SA residents' data must comply.
The Developer Problem
Many South African developers are still handling personal data without proper consent mechanisms, data processing records, or breach notification pipelines. The Information Regulator is now auditing companies proactively.
What You Must Build
These are the exact technical components regulators will check for:
PAIA manual published on company website
Consent capture mechanism with opt-in/opt-out for each processing purpose
Data subject access request (DSAR) response pipeline — 30 days to respond
Breach notification system to Information Regulator within 72 hours
Data processing register (what data, why, how long, where)
Privacy policy in plain language accessible to users
Consequences of Non-Compliance
Fines up to R10 million per violation
Criminal prosecution — up to 10 years imprisonment
Class action by affected data subjects
Mandatory public disclosure of breach
Drop-In Code Solution
Instead of building this from scratch (2–6 weeks of engineering time), use this production-ready package that implements all the required components above.
A lightweight TypeScript middleware wrapper. It intercepts the prompt at the Edge before it leaves your network, uses optimized local regex + lightweight NER to identify and hash all sensitive data, sends the clean prompt to the AI API, and decodes hashes back into real values only inside the secure browser context.
// pii-masker.edge.ts — intercept before prompt leaves network
import { maskPII, unmaskPII } from './pii-masker.edge'
// In your Next.js API route:
export async function POST(req: Request) {
const { prompt } = await req.json()
// Mask PII before sending to OpenAI
const { cleanPrompt, vault } = await maskPII(prompt)
const response = await openai.chat.completions.create({
messages: [{ role: 'user', content: cleanPrompt }]
})
// Restore real values only for the user's browser
const safeResponse = unmaskPII(response.choices[0].message.content, vault)
return Response.json({ content: safeResponse })
}