ShumelaHire
Back to BlogCompliance

POPIA and Recruitment: What Your Organisation Needs to Know

ShumelaHire Editorial7 min read

The Protection of Personal Information Act (POPIA) fundamentally changes how South African organisations must handle personal information during recruitment. For talent acquisition teams, this means rethinking data collection practices, storage policies, and candidate communication workflows.

What POPIA Means for Recruitment

POPIA applies to any processing of personal information, including the collection, storage, use, and deletion of candidate data during recruitment. This covers CVs, interview notes, assessment results, reference checks, and any other information collected about candidates.

Key principles that affect recruitment:

Purpose Limitation

Candidate data may only be collected for a specific, explicitly defined purpose. Collecting information "in case we need it later" or "for future opportunities" without explicit consent is non-compliant.

Data Minimisation

Organisations should collect only the personal information necessary for the recruitment process. Requesting information that is not relevant to the role — such as marital status, number of dependents, or religious affiliation — without a legitimate business reason creates compliance risk.

Retention Limitation

Candidate data should not be retained indefinitely. Organisations must define and enforce retention periods for unsuccessful candidate data. Best practice suggests retaining unsuccessful candidate data for no more than 12 months unless the candidate has given explicit consent for longer retention.

Data Subject Rights

Candidates have the right to access their personal information, request corrections, and object to processing. Your recruitment process must be able to accommodate these requests efficiently.

Practical Steps for Compliance

1. Audit Your Current Process

Map every point where candidate data enters your organisation. This includes career portals, email applications, recruitment agency submissions, and internal referrals. For each entry point, document what data is collected, where it is stored, who has access, and how long it is retained.

2. Implement Consent Management

Every candidate should provide informed consent before their data is processed. This means clear, plain-language privacy notices that explain what data is collected, why, how it will be used, and how long it will be retained.

3. Define Retention Policies

Establish clear retention periods for candidate data at each stage of the recruitment process. Automate deletion or anonymisation when retention periods expire.

4. Control Access

Not everyone involved in recruitment needs access to all candidate data. Implement role-based access controls that limit data visibility to what each person needs to perform their function.

5. Prepare for Data Subject Requests

Build processes for responding to candidate requests to access, correct, or delete their personal information within the timeframes POPIA requires.

The Technology Foundation

Manual POPIA compliance in recruitment is theoretically possible but practically unsustainable at scale. Organisations processing hundreds or thousands of applications per year need systematic controls — automated retention enforcement, configurable consent management, granular access controls, and comprehensive audit logging.

ShumelaHire was designed with POPIA compliance as a foundational requirement, not a retrofit. Every feature, from data collection to candidate communication to reporting, operates within a framework designed for South African privacy law.