Somewhere in South Africa, a small business has a customer list living in a spreadsheet called “CLIENTS FINAL FINAL USE THIS ONE”.
It sits on someone’s laptop. Also maybe in someone’s inbox. Also possibly exported to a phone. Also floating around in a WhatsApp group because the team needed to arrange deliveries quickly and, shame, everyone was busy.
The list has names, phone numbers, email addresses, delivery addresses, order notes, payment references, customer preferences, and possibly one person’s very specific instruction to “please do not phone, my baby naps at 2”.
And because nothing bad has happened yet, the business assumes everything is fine.
That is usually how the trouble starts.
Use this article when customer details are scattered across laptops, inboxes, phones, group chats or forms, and the business has not yet turned data handling into a visible operating habit.
Trust is not only built when the parcel arrives on time or when the customer gets a friendly reply. Trust is also built in how carefully a business handles the information the customer had to share in order to buy from it.
This is where I find myself thinking about Amazon’s Leadership Principle of Earn Trust in my own South African context. Earn Trust is not about smiling nicely while the back office behaves like a data piñata. It is about listening, being candid, acting respectfully, being willing to look at yourself honestly, and working hard to keep trust once it has been given.
In South Africa, that trust conversation has a legal and ethical backbone: POPIA, the Protection of Personal Information Act.
And let us be clear: this is not legal advice. I am looking at POPIA through a practical customer experience and process improvement lens for entrepreneurs, sellers, service providers and small teams who want to build trust with a bit more discipline and a bit less “it is probably saved somewhere”.
At a practical level, POPIA is there to protect personal information by setting conditions for how it may be collected, used, stored, shared and deleted. It does not exist to stop people from running businesses. It exists to stop personal information from being treated like loose flyers at a robot.
For a small business, personal information can include names, numbers, email addresses, delivery details, order history, payment references, complaint records, WhatsApp messages, loyalty lists, customer preferences, photos, identity documents where collected, and business contact details where those identify a company or person.
The practical test is simple. If you can use it to identify, contact, deliver to, invoice, follow up with, profile, market to, or make a decision about someone, treat it with care.
A single purchase is not a lifetime invitation to haunt someone’s phone.
That care does not begin with a privacy policy hidden in the footer of a website like a nervous gecko. It begins with knowing what information you collect and why.
Start with visibility
This is where a simple Data Promise Map can help.
A Data Promise Map is not a formal legal document. It is a practical process check. It asks:
What personal information do we collect?
Why do we collect it?
Where does it go?
Who can see it?
How do we protect it?
How long do we keep it?
How can the customer access, correct, object, opt out, or ask questions?
That may sound basic, but basic is where many businesses can wobble.
Start with the WhatsApp order list
For many small businesses, WhatsApp is not just a communication tool. It is the shop counter, customer service desk, booking system, order tracker, complaint channel and emotional support pigeon. Customers send names, addresses, proof of payment, product choices, delivery notes and sometimes highly personal context because the conversation feels informal.
Informal does not mean unimportant.
A WhatsApp order list still contains personal information. It is also worth remembering that any communication tool can create access, backup, forwarding and device-control risks if the business has not decided who may use it, where the information is stored, and what happens when someone leaves. If the team uses a shared phone, who can access it? If orders are copied into a spreadsheet, where is that spreadsheet stored? If staff leave, do they still have customer details on their personal devices? If screenshots are used to arrange delivery, where do those images end up? If the customer asks to stop receiving messages, does anyone actually action that request?
The point is not to make small businesses terrified of every message. The point is to stop pretending that convenience cancels responsibility.
Then there is the marketing list
This is where trust often gets cheeky.
A customer buys once, and suddenly they are added to every future promotion, launch, reminder, “just checking in”, “new stock has landed”, “last chance”, “happy spring”, and “we miss you” message the business can produce.
No, beloved. A single purchase is not a lifetime invitation to haunt someone’s phone.
POPIA has specific rules around direct marketing, especially electronic communication. In practical terms, small businesses should be careful about when they need consent, when they may rely on an existing customer relationship, and whether the customer has been given a clear, free and easy way to say no.
The trust principle here is simple: do not trap people in your marketing because they once trusted you with their details.
If a customer gives you their address to deliver an order, use it to deliver the order. If they give you an email for a receipt, do not treat that as permission to move permanently into their inbox with a camping chair and a ring light.
Marketing can be warm, useful and welcome. But only when the customer understands the relationship and has a real way to opt out.
The third place to look is the handoff
Small businesses rarely handle customer information alone. They share details with couriers, payment providers, booking platforms, marketplaces, email tools, accountants, web developers, virtual assistants, software systems and sometimes the cousin who helps during peak season.
Outsourcing the tool does not outsource the trust.
If a courier needs a name, number and address to deliver, that makes sense. If a payment provider needs certain transaction details, that makes sense. But the business should still know who receives what, why they receive it, and whether there are reasonable safeguards in place.
This does not mean every entrepreneur must become a data lawyer overnight. It does mean the business should stop treating customer information as something that can be casually forwarded, screenshotted, exported, duplicated or forgotten.
POPIA also speaks to keeping information accurate, not collecting more than needed, being open about the purpose, protecting records properly, allowing people to participate in their own information, and not holding onto data forever without a lawful reason.
That gives small businesses a useful trust test.
Do we collect only what we need?
Do we tell customers why we need it?
Do we protect it from nosy humans and careless systems?
Do we know who has access?
Do we stop keeping it when we no longer have a valid reason?
Those questions are not only for compliance. They are for credibility. Because every unnecessary data field is another little suitcase of responsibility the business has to carry.
If you do not need a customer’s identity number, do not collect it. If you do not need their full birth date, do not ask for it because the form had space. If old market-day sign-up sheets are sitting in a box somewhere, decide whether they still serve a lawful purpose. If customer records are saved across personal phones, random folders and forgotten email exports, the business does not have a data process. It has a treasure hunt with consequences.
Security also matters
Protecting customer information does not always require expensive systems. It starts with sensible habits. Passwords that are not shared like family recipes. Access limited to people who actually need it. Multi-factor authentication where possible. Customer sheets not left open on desks. Waybills not tossed into public bins. Old staff access removed. Devices locked. Teams trained not to overshare, click suspicious links, or forward customer details into every group chat with a pulse.
A customer’s delivery address should not be protected by “I think it is on someone’s phone somewhere.”
And if something does go wrong, trust depends on honesty.
Data leaks, lost devices, misdirected emails, exposed spreadsheets, hacked accounts, and unauthorised access are not just IT problems. They are trust events. The Information Regulator’s guidance on POPIA security compromises makes it clear that responsible parties must report security compromises and notify affected data subjects.
This matters because trust is not only how carefully you guard the gate. It is how honestly you behave if the gate breaks.
The deeper lesson
The deeper lesson is this: customer data is part of the customer experience.
It may not arrive in the parcel. It may not appear on the receipt. It may not be mentioned in the review. But it sits underneath the relationship. Customers trust businesses with pieces of themselves so the business can serve them. That trust should not be treated as admin clutter.
For South African entrepreneurs, this is also an opportunity.
A small business can build confidence by being clear, respectful and disciplined with information. By asking for less. Explaining better. Protecting properly. Letting people opt out without drama. Cleaning old lists. Checking who has access. Choosing service providers with care. Creating one simple internal rule: customer information is not casual.
A simple place to start is visibility; know what customer information you collect, why you collect it, where it goes, who can access it, and whether you still need to keep it.
That is how Earn Trust becomes more than a leadership phrase. It becomes a daily operating habit. Not loud. Not flashy. Not a massive compliance theatre production with twelve folders and a panic biscuit.
Just a business saying: if the customer trusts us with their details, we will treat that trust like part of the product.
Because your customer’s data is not confetti. It is not decoration. It is not free marketing fuel. It is not something to scatter across phones, spreadsheets, inboxes and forgotten folders because everyone was busy and the courier needed the address quickly.
It is a promise. And like every promise in business, it should be handled with care.
Where to start
For anyone unsure where to begin, the safest place to start is the Information Regulator South Africa’s official website and eServices portal, where businesses can find POPIA guidance, Information Officer registration resources, complaint processes and support contact options. For business-specific legal advice, it is still worth speaking to a qualified professional.
This is a personal thought piece, written in my private capacity from my own customer experience and process improvement perspective. It draws on publicly available information and reflects my own views, not the views of my employer. It is not legal advice.