Open DSARs
3
2 due this week
Client Requests
4
1 overdue response
Active Incidents
1
Under investigation
Policy Reviews Due
2
1 overdue, 1 this month
POPIA Compliance Health
TSL Group SA · April 2026
s8 — Lawful processing94%
s18 — Notification obligations88%
s22 — Security safeguards76%
ECTA s51 — Data messages91%
Upcoming Actions
Urgent
DSAR response — K. Pillay
Due 1 Apr 2026
Soon
Vendor assessment — Exacom
Due 7 Apr 2026
Soon
ECTA Policy — overdue review
4 months overdue
Planned
Staff POPIA awareness training
30 Apr 2026
TSL AI Compliance Assistant
Claude · POPIA & ECTA · Daily law monitoring
Hello Bavesh. I'm your TSL Compliance Assistant. I can help with POPIA obligations, draft responses, analyse incidents, review policies, and send automated vendor reminders. What can I help you with today?
POPIA s22 obligations
Compliance summary
Recent law changes
Draft staff reminder
Last synced: Today, 06:00 AM SAST · Auto-sync daily via Netlify Scheduled Function
Legislative & Case Law Updates
2 newHigh ImpactPOPIA Regs3 Apr 2026
Information Regulator — updated guidance on direct marketing consent
Pre-ticked consent boxes are not valid consent under POPIA s11(1)(a). Organisations must audit legacy opt-in mechanisms. Directly affects TSL's marketing database and loyalty programme consent flows.
Source: informationregulator.org.za
Medium ImpactECTA Amendment28 Mar 2026
Draft Electronic Communications Amendment Bill — data localisation requirements
Stricter requirements for cross-border transfers of South African citizens' data. Comment period closes 30 May 2026. Relevant to TSL's AWS and Salesforce deployments under POPIA s72.
Source: Government Gazette No. 51847
Track all external compliance requests from clients, regulators, and third parties. Upload shared documents, assign reference numbers, and manage timelines. Automated reminders sent via your configured no-reply email.
Client Compliance Requests
CR-2026-001
POPIA Compliance Audit — Information Regulator
Information Regulator SA · Regulatory Audit
📄 IR_Audit_Notice.pdf
📄 POPIA_Framework_v2.1.docx
📊 RoPA_Export_2026.xlsx
CR-2026-002
Third-Party Due Diligence — Vodacom SA
Vodacom (Pty) Ltd · Due Diligence Request
📄 Vodacom_DDQ_2026.pdf
📄 IS_Policy_v3.0.docx
CR-2026-003
Contract Compliance Review — MTN SA
MTN (Pty) Ltd · Contract Review
📄 MTN_DPA_Agreement.pdf
📄 TSL_Response_CR-2026-003.docx
POPIA s23 — Data subjects have the right to access, correction, deletion or to object. TSL must respond within 30 days. Automated acknowledgement emails sent via your no-reply address.
Data Subject Access Requests
| Ref | Data Subject | Type | Received | Due | Status | ||
|---|---|---|---|---|---|---|---|
| TSL-DSAR-001 | Kavesh Pillay TSL Telecoms · Employee | Access | 2 Mar 2026 | 1 Apr 2026 | In Progress | ||
| TSL-DSAR-002 | Priya Moodley TSL Broadband · Customer | Correction | 15 Mar 2026 | 14 Apr 2026 | In Progress | ||
| TSL-DSAR-003 | Thabo Nkosi TSL Mobile · Customer | Deletion | 28 Mar 2026 | 27 Apr 2026 | New |
Record of Processing Activities (RoPA) required under POPIA. All personal information processing within TSL Group SA must be documented here.
| Process | Business Unit | Personal Info | Legal Basis | Retention | Risk |
|---|---|---|---|---|---|
| Employee HR Records | Human Resources | Name, ID, salary, biometric | Contractual | 7 years | Medium |
| Customer Billing | Finance | Name, address, bank details | Contractual | 5 years | Medium |
| Marketing Database | Sales & Marketing | Name, email, preferences | Consent | Until opt-out | High |
| CCTV Footage | Facilities | Biometric / visual | Legit. Interest | 31 days | High |
| Network Monitoring | IT Infrastructure | IP addresses, usage logs | Legit. Interest | 90 days | Low |
⚠ Recent IR guidance: pre-ticked boxes are not valid consent under POPIA s11(1)(a). Review all existing consent mechanisms immediately.
Privacy Notices & Consent
Customer Privacy Notice
Active · v3.1Last reviewed: 15 Jan 2026 · Next: 15 Apr 2026
78% — missing cross-border transfer disclosure (s72)
Employee Privacy Notice
Active · v2.0Last reviewed: 1 Oct 2025 · Next: 1 Oct 2026
92% — good standing
POPIA s22 — TSL must notify the Information Regulator and affected data subjects of any security compromise as soon as reasonably possible. Notification emails sent via your configured no-reply address.
Incident & Breach Register
| Ref | Description | Discovered | Severity | Reportable? | Status | |
|---|---|---|---|---|---|---|
| TSL/POPIA/IR/2026/001 | Unauthorised SMS marketing Employee breach of consent obligations | 15 Jan 2026 | Medium | Under review | FWW issued |
POPIA s20–21 — TSL must ensure operators have adequate safeguards and signed operator agreements. Send vendors a POPIA self-assessment questionnaire via your configured no-reply email.
Send Vendor Self-Assessment
Sends via your no-reply email| Vendor | Service | Agreement | Assessment | Risk | |
|---|---|---|---|---|---|
| Amazon Web Services | Cloud infrastructure | ✓ Signed | Complete | Low | |
| Exacom (Pty) Ltd | Call recording | ✗ Missing | Pending | High | |
| Salesforce Inc | CRM platform | ✓ Signed | Complete | Medium | |
| Securitas SA | Physical security | ⚠ Outdated | Not sent | Medium |
Upload existing policies for AI review, set review timelines, and receive automated reminders. Policies should be reviewed annually or on material change in processing activities.
Policy & Document Library
POPIA Compliance Framework
v2.1 · Legal & Compliance · Annual review
✓ CurrentApproved
Review cycle:
Next: Jan 2027
Jan 2024
Created
Created
Jan 2025
Review
Review
Jan 2026
Current
Current
Jan 2027
Due
Due
Information Security Policy
v3.0 · IT Department · Annual review
Due SoonApproved
Review cycle:
Next: Jun 2026 (2 months)
Jun 2024
Created
Created
Jun 2025
Current
Current
Jun 2026
Due soon
Due soon
ECTA Electronic Communications Policy
v1.0 · Legal & Compliance · Annual review
⚠ OverdueNeeds Review
Review cycle:
4 months overdue
Dec 2024
Created
Created
Dec 2025
OVERDUE
OVERDUE
Data Retention & Deletion Policy
v1.4 · Legal & Compliance · Annual review
Review cycle:
Apr 2026 — This Month
Users are managed via Netlify Identity (no Azure required). To add a user: Netlify → tsl-comply → Identity → Invite users. MFA can be enforced via Netlify Identity settings.
Authorised Users
BP
Bavesh Padayachy
bavesh19@gmail.com · b.padayachy@tsllegal.co.za
SM
S. Mthembu
s.mthembu@tsllegal.co.za
Configure your no-reply email address for all automated communications — vendor assessments, DSAR acknowledgements, policy reminders, and incident notifications. Uses EmailJS — free, no server required.
EmailJS Configuration
Create Free Account ↗To set up: (1) Create a free EmailJS account at emailjs.com (2) Connect your Gmail or Outlook (3) Create an email template (4) Paste your credentials below
EmailJS Template Guide
Create these templates in your EmailJS dashboard. Use these variable names:
Vendor Assessment template — variables: {{to_name}} {{to_email}} {{vendor_name}} {{service}} {{assess_link}} {{from_name}}
DSAR Acknowledgement template — variables: {{to_name}} {{to_email}} {{ref}} {{request_type}} {{due_date}} {{from_name}}
Policy Reminder template — variables: {{to_name}} {{to_email}} {{policy_name}} {{due_date}} {{from_name}}