Compliance

How POPIA affects your field service business — and what to do about it

POPIA is not just a large-business concern. South African field service companies hold customer data, GPS locations, and job site photos that fall under POPIA. Here's what you need to know and what to do about it.

By WorkOrderPro Team

The Protection of Personal Information Act came into full effect in July 2021. Most small businesses in South Africa have heard of POPIA, but fewer have worked through what it actually requires of them.

For field service businesses — plumbers, electricians, HVAC companies, security installers, cleaning companies — POPIA is more directly relevant than it is for a typical retail shop. You hold customer addresses, you track your technicians' GPS locations, you photograph people's homes and workplaces, and you store all of this in digital systems. Most of that data is subject to POPIA.

This article is not legal advice. It explains the practical implications of POPIA for field service operations and the steps most small service businesses can take to be in reasonable compliance. If your business operates at significant scale or holds sensitive categories of personal information, consult a qualified POPIA practitioner.

What POPIA requires in plain terms

POPIA governs how businesses collect, use, store, and delete personal information about other people — including customers and employees.

The key principles, summarised practically:

Lawful purpose: You must have a legitimate reason to collect personal information. For a field service business, the reasons are generally obvious — you need a customer's address to send a technician, their phone number to communicate about the job, their email to send an invoice. These are lawful purposes.

Consent: In many cases, collecting personal information requires the person's consent. For customers, the act of requesting a service and providing their details is generally considered implicit consent for the purpose of fulfilling that service. But you need to make it clear what data you are collecting and what you will use it for.

Purpose limitation: You cannot use personal data you collected for one purpose for a different, unrelated purpose. A customer's phone number collected for job confirmation cannot be added to a marketing list without separate consent.

Data minimisation: Collect only what you need. You do not need a customer's ID number to schedule a plumbing job. You do not need their date of birth. Collect the minimum necessary.

Data subject rights: Individuals have the right to request access to the personal data you hold about them, to request corrections, and in certain circumstances to request deletion. If a customer asks "what information do you hold about me?", POPIA requires you to be able to answer that question.

Security: You must take reasonable measures to protect the personal data you hold from unauthorised access, loss, or destruction.

The data your field service business holds

Walk through the data a typical field service business handles:

Customer data

Every job card holds at minimum: customer name, phone number, email address, and job site address. If the customer is a tenant and the account holder is a landlord, you may hold data on two people. If the property is residential, the job site address is personal information.

This data is collected lawfully — it is necessary to provide the service — but you need to retain it appropriately and dispose of it when it is no longer needed.

Job photos

Job site photos — arrival photos, work-in-progress photos, completion photos — often include identifiable images of someone's home, workplace, or personal belongings. In a residential context, photos of a kitchen, a bathroom, or a bedroom are personal data because they can be associated with an identifiable individual at a known address.

If a photo happens to include a person — a customer walking through the frame, a family member in the background — that is unambiguously personal data.

Your photo retention policy needs to address this. Retaining job photos for seven years "just in case" may not be proportionate. Retaining them for the period during which a dispute could arise is more defensible.

GPS location data for technicians

This is the most frequently misunderstood area of POPIA for field service businesses. When you track the GPS location of your technicians through a field service app, you are collecting personal information about employees.

POPIA requires that employees give explicit, informed consent to GPS tracking before it begins. The consent must be documented, and employees must understand what data is collected, how it is used, and how long it is retained.

"It was in their employment contract" is sometimes acceptable but is not always sufficient — the consent must be informed and meaningful, not buried in a clause.

GPS data retention: Raw GPS location data has a limited legitimate purpose. You need to know where a tech is during work hours. You probably do not need to know their precise movement trail from six months ago. A 90-day retention limit on raw GPS data is a defensible position for most field service businesses.

After-hours GPS tracking: Tracking technician location outside of working hours — when they are in the company vehicle overnight, for example — requires separate justification. For most businesses, limiting GPS tracking to when a technician is clocked in or has the app active in the foreground is the appropriate policy.

Customer photos from on-site visits

If your technicians take photos that include images of people (not just property), those photos constitute personal data. This is uncommon in most field service contexts — a plumber does not typically photograph the homeowner — but it can happen.

The practical advice: instruct techs that photos should document the work, not the people. If a customer or their family member is inadvertently captured in a photo, that photo should be reviewed before being retained in the job record.

GPS tracking and technician consent: the legal requirement

The Information Regulator has made clear that employee monitoring — including GPS tracking — requires informed, documented consent. This is a contractual and operational step, not just a software setting.

At a minimum, you need:

  1. A written policy explaining that GPS tracking is used during working hours, what data is collected, and how long it is retained
  2. A signed acknowledgment from each technician that they have read and understood the policy
  3. A clear process for what happens when a technician does not consent (which may affect their ability to perform the role, but you cannot require consent through coercive means)

This is not complicated for most small service businesses. A two-page GPS tracking policy and a sign-off form, reviewed by a labour lawyer before use, covers most scenarios.

WorkOrderPro handles the technical side of this: GPS consent is captured explicitly on first login for each technician. If consent is not given, GPS tracking is not enabled. The app tracks location only when the technician is clocked in or has the app active in the foreground — not passively in the background. Raw GPS data is purged after 90 days, and each technician can view their own GPS history.

Data retention: how long to keep what

POPIA does not prescribe specific retention periods for field service data — it requires that personal data is retained only as long as necessary for the original purpose and not longer.

Practical guidelines for field service:

  • Job records (job card, services performed, invoice): Seven years is defensible, as SARS requires financial records to be retained for that period. The personal data within those records (customer name, address) is necessary to maintain an accurate historical record.
  • Job photos: Consider retaining for the period during which a customer dispute or a warranty claim could arise. For most jobs, a retention period of two to three years is proportionate.
  • GPS location data: 90 days for raw location trails. Derived data (e.g., "tech arrived at job site at 09:15") may be part of the job record and retain with it.
  • Customer contact details for inactive customers: If a customer has not engaged with your business in three years and you have no pending work or financial obligation, there is limited justification for retaining their personal data.

What WorkOrderPro does to support POPIA compliance

WorkOrderPro is designed with SA businesses in mind. The following features directly support POPIA compliance:

  • Explicit GPS consent on first login: Technicians must affirmatively consent to GPS tracking before it is activated. The consent is recorded.
  • Location tracking limited to active sessions: GPS is active only when the technician is clocked in or the app is in the foreground. No background tracking.
  • 90-day GPS data purge: Raw GPS location trails are automatically deleted after 90 days.
  • Technician GPS history access: Each technician can view their own location history within the retention window.
  • Data subject access requests: The platform supports DSAR responses — when a customer requests their data, you have a structured record to provide.

POPIA compliance also requires your own policies, procedures, and documentation as a business. Software can support your compliance but it cannot replace the need for a privacy policy, an information officer designation, and appropriate staff training.

What to do next

Start with the basics. These four actions put most small field service businesses in a substantially better compliance position:

  1. Appoint an information officer (required for all organisations — can be the owner in a small business)
  2. Write and publish a privacy policy on your website and your invoices
  3. Obtain written GPS consent from all technicians before enabling location tracking
  4. Review your photo and data retention practices and document a retention schedule

POPIA compliance is not a one-time exercise. It requires ongoing attention as your business practices and technology change. But most small service businesses can get to a reasonable baseline without significant cost or complexity.

WorkOrderPro is built with POPIA in mind — explicit GPS consent, 90-day data purge, and technician location transparency built in. Read our POPIA policy or start your free 14-day trial.

Title Variations

  1. "How POPIA affects your field service business — and what to do about it" (71 characters)
  2. "POPIA compliance for South African field service companies — a practical guide" (76 characters)
  3. "What POPIA means for plumbers, electricians, and field service businesses" (72 characters)
  4. "POPIA and GPS tracking: what SA service businesses need to know" (62 characters)
  5. "POPIA for field service: customer data, GPS tracking, and job photos" (68 characters)

Meta Description

How POPIA affects South African field service businesses — GPS consent, customer data, job photos, and data retention. Practical steps, not legal jargon. (152 characters)

Key Takeaways

  • GPS tracking of technicians requires documented, explicit, informed consent under POPIA — not just a clause buried in an employment contract.
  • Job site photos may be personal data when they can be associated with an identifiable individual at a known address.
  • Raw GPS location trails should be purged after 90 days; job records with financial relevance may be retained for seven years in line with SARS requirements.
  • All South African organisations must appoint an information officer and publish a privacy policy — even sole proprietors and small businesses.
  • POPIA compliance requires both technical controls (like those in WorkOrderPro) and operational policies and documentation as a business.

Internal Linking Suggestions

  • Anchor: "GPS tracking consent", Target: /features/gps-tracking, Context: Direct link to the GPS tracking feature page which explains the consent and retention model.
  • Anchor: "our POPIA policy", Target: /popia, Context: Provides readers with the platform's own compliance documentation.
  • Anchor: "job photos and data retention", Target: /features/job-photos, Context: Links to the photo feature page which details how photos are stored and retained.
  • Anchor: "data subject access requests", Target: /popia, Context: Supports the DSAR section with additional detail on how the platform handles these requests.

FAQ Section

Q: Does POPIA apply to small field service businesses in South Africa? A: Yes. POPIA applies to any organisation — including sole traders and small businesses — that processes personal information. A plumbing business that holds customer addresses, phone numbers, and job site photos is processing personal information and is subject to POPIA. The scale of compliance obligations may vary, but the basic requirements apply to all.

Q: Do I need written consent from technicians before using GPS tracking? A: Yes. Tracking an employee's GPS location is a form of employee monitoring that requires informed, documented consent under POPIA. The consent must explain what data is collected, how it is used, how long it is retained, and who has access to it. A verbal agreement or an undisclosed clause in an employment contract is not sufficient.

Q: How long can I keep job photos under POPIA? A: POPIA does not specify a fixed retention period — it requires that personal data is retained only as long as necessary for the original purpose. For job photos, a retention period of two to three years (covering the period in which a customer dispute or warranty claim could arise) is a defensible position for most field service businesses. Document your retention policy and apply it consistently.

Q: What is a DSAR and do I need to respond to one? A: A DSAR (Data Subject Access Request) is a formal request from an individual for access to the personal data you hold about them. POPIA gives individuals this right. If a customer or a former technician submits a DSAR, you must respond within a reasonable time and provide the requested information or a valid reason why you cannot. WorkOrderPro supports DSAR responses by providing structured job records.

Q: What happens if I do not comply with POPIA? A: Non-compliance with POPIA can result in enforcement action by the Information Regulator of South Africa. The Regulator can issue compliance notices, conduct investigations, and impose administrative fines. The maximum fine under POPIA is R10 million, and in cases of intentional interference with personal information, criminal liability can apply. Most small business compliance failures are more likely to result in a compliance notice than immediate heavy fines, but the risk is real.

Ready to run your jobs on WorkOrderPro?

Start a free trial. No credit card required. Set up your first job card in under 10 minutes.

Start free trialMore articles