PrivIQ Risk Calculator by Khwezi
/ 9

What is your POPIA exposure really worth?

Nine questions. A risk-adjusted rand figure for your organisation's annual privacy risk exposure under POPIA — and GDPR if it applies to you. About 3 minutes.

Regulatory exposure
The Information Regulator can fine up to R10 million under s109 — and s107 adds criminal liability. See your risk-adjusted annual exposure based on your actual compliance gaps.
Breach liability
IBM puts the average South African breach at R44.1 million. See what a single reportable incident would cost you, given your data types and safeguards.
Data subject requests
POPIA gives you 30 days to answer an access request. Missed deadlines mean Regulator complaints, legal review, and remediation cost.
Direct marketing risk
Section 69 makes unsolicited electronic marketing opt-in — and it is the Regulator's number-one complaint category. See what your consent gaps could cost.
Question 1 of 9

Which sector best describes your organisation?

Sector affects both enforcement scrutiny and breach cost. IBM's 2025 South Africa data puts financial-sector breaches at R70.2m against a R44.1m national average.

Question 2 of 9

Do you serve businesses or consumers?

Consumer-facing organisations receive far more data subject requests and direct-marketing complaints than those serving other businesses.

Question 3 of 9

How many data subjects are in your systems?

Count everyone whose personal information you hold — customers, employees, prospects, suppliers' contacts. A ballpark is fine.

Question 4 of 9

What kinds of personal information do you process?

Select all that apply. POPIA treats special personal information (s26) and children's information (s34) far more strictly — they raise your liability per record.

Question 5 of 9

Do you process the personal data of people in the EU, EEA or UK?

If yes, the GDPR applies alongside POPIA — with fines up to €20 million or 4% of global turnover, and sustained, well-resourced enforcement. This layers additional exposure on top of your POPIA figures.

Question 6 of 9

Which security safeguards do you have in place?

POPIA s19 requires "appropriate, reasonable" technical and organisational measures. Each gap raises both your breach probability and your cost per record. Select all that genuinely exist.

Question 7 of 9

Which POPIA compliance measures exist in your organisation?

They don't need to be perfect — select anything that exists in some working form. Leaving this blank is a valid (and expensive) answer.

Question 8 of 9

Do you do electronic direct marketing?

Email, SMS or automated calls. Section 69 makes unsolicited electronic marketing opt-in — and direct marketing is the Information Regulator's most common complaint category, with its first s69 enforcement notice issued in 2024.

Question 9 of 9

How many privacy or security incidents in the last 12 months?

Breaches, near-misses, misdirected emails, lost devices, unresolved access requests — anything that touched personal information. The Regulator received roughly 2,400 security compromise notifications last financial year and volumes are climbing ~40% year on year.

Zero recorded incidents usually means zero incident tracking — not zero incidents.

Ten or more in a year is a systemic pattern. Your hidden exposure is likely higher than what you're seeing.

PrivIQ Risk Calculator
Annual privacy risk exposure
Book a PrivIQ demo
Report sent. Check your inbox — and feel free to keep adjusting the numbers; you can re-send any time.
Exposure breakdown
Visualised
Where your exposure sits
Current exposure vs with PrivIQ
What if PrivIQ handled this?

Toggle PrivIQ modules to see your exposure fall in real time. Each card shows that module's saving on its own; the combined figure below accounts for overlap between modules.

Total risk reduced with PrivIQ
Talk to us about PrivIQ →
Figures are risk-adjusted estimates anchored in the IBM Cost of a Data Breach Report (South Africa, 2025), Information Regulator enforcement data, POPIA (ss 19, 22, 23, 26, 34, 69, 107, 109) and, where selected, the GDPR (Arts 12, 34, 83). They are estimates, not audited figures or legal advice — your actual exposure may be higher. How we calculate this →  ·  Privacy Policy  ·  © 2026 Khwezi Holdings (Pty) Ltd
Email me my report
We'll send a summary of your results so you can share it internally — and a link back here to adjust the numbers any time.

We may contact you about your results. Your information is handled in line with our Privacy Policy and POPIA.

How the numbers work
Every figure is a documented formula over your inputs. All calculation runs in your browser — nothing is sent anywhere until you choose to email yourself the report. These are risk-adjusted estimates, not legal advice.
1. Regulatory enforcement exposure

Seven core POPIA compliance measures are tracked: a registered Information Officer, PAIA s51 manual, a data subject request workflow, s20/21 operator agreements, s69-compliant marketing consent, a security compromise response plan, and records of processing. Each missing measure carries a risk-adjusted annual exposure — the probability of a complaint, assessment or enforcement action multiplied by the expected cost of responding to and remediating it, calibrated against the Regulator's track record (two R5m fines to date, s109 ceiling of R10m, enforcement volumes rising ~40% year on year) rather than statutory maxima.

enforcement = gaps × base_per_gap × sector_mult × scale_mult(band) × (gdpr_applies ? gdpr_mult : 1)
2. Breach liability (annualised) & per-incident figure

IBM's 2025 South Africa data reports an average breach cost of R44.1m across an average 23,445 breached records — roughly R1,880 per record, which is our base rate. We apply a realistic incident scope (a fraction of your data subject band, consistent with how real breach investigations scope affected populations), a sensitivity multiplier for special personal information under s26/s34, and a safeguards multiplier reflecting s19 obligations and the reduced notification burden for encrypted data under s22 and GDPR Art 34. Annualised exposure multiplies the per-incident figure by an estimated annual breach probability, adjusted upward for safeguard gaps and your reported incident history.

per_incident = scope(band) × R_per_record × sensitivity_max × safeguard_mult probability = base_prob(band) × (1 + safeguard_gaps × step) × incident_signal annualised = per_incident × probability
3. Data subject request exposure

POPIA s23 (via PAIA) gives a 30-day response window; GDPR Art 12 allows one month. Request volume is seeded from your business model and scale and fully adjustable. Without a formal workflow, a meaningful share of requests miss the deadline — each miss carrying legal review, Regulator correspondence and remediation cost.

request_exposure = requests_per_year × miss_rate × cost_per_miss × (gdpr ? mult : 1)
4. Direct marketing exposure (s69)

Direct marketing is the Information Regulator's most common complaint category and a stated enforcement priority; its first s69 enforcement notice was issued in February 2024. Exposure scales with your data subject count and business model, and collapses when opt-in consent records exist. The 2025 POPIA Regulation amendments tightened the prescribed consent process further.

PrivIQ module effects

Each module applies reduction factors to the components it addresses (e.g. request automation cuts the miss rate; consent management removes s69 exposure; incident management reduces annualised breach cost via faster containment — IBM attributes South Africa's 17% year-on-year breach cost decline substantially to faster detection and response). Individual card savings are computed with only that module active; the combined figure is computed with all active modules together, so overlapping effects compound rather than double-count.

Sources

IBM Cost of a Data Breach Report 2025 (South Africa figures); Information Regulator media statements, annual reporting and 2025/26 Annual Performance Plan; POPIA ss 19, 22, 23, 26, 34, 69, 107, 109 and the 2025 Regulation amendments; PAIA s51; GDPR Arts 12, 34 and 83(5). Parameters without a citable published source are field estimates from Khwezi's POPIA advisory work, disclosed as such and adjustable.

Terms

This tool is illustrative and is not legal, regulatory or financial advice. Output quality depends entirely on your inputs, which the tool cannot validate. A proper privacy risk assessment requires a qualified professional to evaluate your specific systems, data flows and obligations. Khwezi Holdings (Pty) Ltd accepts no liability for decisions taken in reliance on these estimates.

TML
Skip links

Supercharge your Revenue and compliance

Discover how our solutions increase your bottom line.

Get in touch
call us now
+27 (010) 271-2224
about us

Your technology services partner

Welcome to Khwezi, where we are passionate about turning manual processes into efficient and productive workflows for businesses. In today's digital age, it's surprising how many companies are still relying on outdated paper-based systems, which can be time-consuming and error-prone. When comes to service we don't take shortcuts, because that's the way we ensure perfect results.  We dont just adhere to industry-specific and internationla standards - we surpass them, with a qualified team and service that ensures every project receives the exact resources it deserves.   Time is money and we don't waste either.





    30,000

    Users empowered by our services

    200+

    Trusted clients

    R120 Million

    Cost Recovery & Value Realization Per Month

    70%+

    Disbursement Realization

    Khwezi's Trusted Industry Experience

    Compliance & Automation Across South Africa's Key Sectors

    0107

    From pathology laboratories to provincial government, our platforms are built to meet the exacting regulatory standards of every sector we serve. We don't just understand your industry's compliance landscape – we work in it every day, with a qualified team and solutions shaped by more than a decade of hands-on experience.

    Your data, your billing, your compliance – handled properly, the first time.

    Don't see your industry listed? We'd be happy to discuss your needs…

    Let's Talk

    unleashing our clients’ potential by maximising their innovation.

    specialists in niche markets, products, and services.

    Leading experts in highly specialized products and services.

    Our team is dedicated to understanding the unique needs and nuances of these specific sectors, allowing us to tailor our solutions precisely to your requirements. Khwezi is here to support your endeavours with our targeted approach and deep industry knowledge.

    nQ Zebraworks

    Legal Cost Recovery

    Learn more

    AI Document Management

    Digitizing Paper Processes

    Learn more

    Privacy & Risk Management

    Compliance

    Learn more

    Fibre Connectivity & Voice

    Learn more

    Cyber & Security Solutions

    Learn more

    Digital Scanning Services

    Learn more

    testimonials

    This website uses cookies to improve your web experience.
    Home
    Search