Blog / Compliance Engineering

POPIA compliance is an engineering decision, not a legal one.

By the time POPIA reaches the legal team, the consequential choices have already been made in the schema.

Compliance Engineering · 8 min read · May 2026

POPIA compliance is an engineering decision, not a legal one.

The short version

Where is POPIA actually decided?

In the data model: which tables hold personal information, who can read them, what is logged, and what a deletion cascades to.

What does compliant engineering produce?

A DPIA aligned to the architecture, a record of processing mapped to real tables, and data-subject rights implemented as features, not promised in prose.

What is the legal team's role then?

To ratify decisions the engineering already made correctly, not to discover them during an incident.

In full

A privacy policy does not answer who can read a table or what a deletion cascades to. The schema does, whether or not anyone was paying attention.

The Fourths · Engineering for regulated industries

Keep reading

Building in a regulated market?

Discovery calls are 30 minutes. We'll tell you if we're not the right fit.

POPIA compliance is an engineering decision, not a legal one.

Where is POPIA actually decided?

What does compliant engineering produce?

What is the legal team's role then?

More from the blog.

Audit trails as a first-class architectural concern.

Moving AI agents from proof-of-concept to production.

What AI integration actually means for a 20-person fintech.

Building in a regulated market?