Service

Compliance

The evidence the auditor wants — collected automatically, ready when they call.

POPIA · FSCA · HPCSA · PASA · ISO 27001 alignment · PFMA / MFMA · Data inventory · Processing register · SAR handling · Breach response · Audit trail preservation.

Book a Compliance assessment →

What we mean by Compliance

Not a binder on a shelf. A live, current record.

Most South African mid-market businesses we audit have “done” POPIA the same way: they paid a consultant a year ago, got a binder of templates, and haven’t touched it since. When the Information Regulator writes — or worse, an insurer asks — the binder doesn’t match the actual systems.

The fix isn’t another binder. It’s a live record that updates itself whenever the underlying IT changes. New employee onboarded? The processing register knows. Backup retention changed? The data lifecycle map updates. Server moved to AWS Cape Town? Your data-residency statement updates automatically.

We cover the operational evidence side of compliance — not the legal interpretation. Your attorney decides what POPIA means for your business; we make sure the technical proof exists when they ask for it. We work alongside compliance consultants and attorneys, not against them.

What we cover

Six pieces every regulator asks for.

Each one is a recurring evidence stream — not a once-off document.

Data inventory & processing register

What personal data you hold, where it lives, who has access, how long you keep it, what legal basis you process it under. Required under POPIA s17. Auto-updated as your systems change — not a snapshot from 2023.

Sector-specific compliance evidence

FSCA + PASA for financial services. HPCSA for healthcare. SITA + PFMA / MFMA for public sector. MHSA for mining. We structure the evidence each regulator actually asks for, not a generic POPIA template that ignores your sector.

Subject Access Request (SAR) handling

Under POPIA, any data subject can ask “what do you have on me?” You have 30 days to answer fully. We’ve built the workflow so when the request lands, you click two buttons — not panic for a week.

Breach response & 72-hour notification

POPIA s22 gives you a tight notification window when a breach occurs. We’ve pre-drafted the Information Regulator notification template, the affected-party communications, and the internal incident log. When (not if) it happens, you fill in the blanks — you don’t start from scratch.

Audit trail preservation

Who did what, when, on which system. Immutable storage, retention policies, search-ready when an auditor requests “show me every access to file X between dates Y and Z”. Most clients can’t do this. After us, you can — in under five minutes.

ISO 27001 alignment (where appropriate)

For clients eyeing ISO certification, we align technical controls with Annex A from day one. We’re not a certification body — that’s a separate auditor — but you arrive at the audit with 80% of the evidence already structured the way ISO wants it.

What runs while you sleep

Evidence collected without you lifting a finger.

Compliance dies the moment it depends on someone remembering to do something manually. We’ve automated the recurring evidence so it’s ready when the auditor asks.

  • User access reviews captured monthly
  • Backup integrity attestations stored automatically
  • Encryption-at-rest evidence refreshed daily
  • Patch compliance recorded per endpoint
  • Privileged account activity logged & auto-archived
  • Data-residency confirmation for every workload
  • Vendor due-diligence records refreshed annually
  • Staff awareness completion tracked & reported

What we’ll hand to your attorney or auditor

A live folder, not a stale binder.

Compliance dossier (always current)

A single shared folder — SharePoint or your DMS — with policies, procedures, registers, evidence logs. Versioned, dated, and refreshed without you asking.

Quarterly compliance review

One-hour walkthrough with the leadership team. What changed this quarter, what’s flagged amber/red, what we’re fixing next. Documented — so when the regulator asks “when did you last review your controls?”, you have a date.

Regulator / auditor first-response support

When the Information Regulator or your sector auditor writes, we help you respond inside 24 hours. Not legal advice — we work with your attorney on that — but the technical evidence side is on us.

What we won’t do

We won’t replace your attorney. We won’t sell you a “POPIA-in-a-box” product that’s stale on arrival. We won’t claim ISO certification — that’s an accredited auditor’s job. Where we’re not the right party, we say so — and we name who is.

“We were drowning in user tickets and 3am server alerts. Two years on Burika’s managed support, our team hasn’t seen an after-hours incident — and our staff actually like calling IT now.”

— IT Manager, EurekaIT, Johannesburg

“Burika audited our setup, fixed three POPIA gaps we didn’t know we had, and now monitors everything quietly. Our MD finally stopped asking me “are we covered?””

— Operations Director, Joubea

When did anyone last check your IT health?

Sixty minutes with a senior engineer. We’ll review your setup, flag the gaps that matter, and tell you straight if there’s nothing wrong.

Book your free assessment