“Delete at Your Own Risk”: The Year-End Records Mistake That Could Cost You Everything

Written By Heynes Kotze

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

Every December, accountants across South Africa make the same costly mistake.

We shred.
We delete.
We “spring-clean” our practices.

And that’s exactly how CBAPs walk straight into POPIA violations, SARS penalties, Companies Act breaches, and client disputes they never saw coming.

The truth?
In South Africa, no single law controls retention. You’re juggling POPIA, SARS, the Companies Act, employment laws, contracts, and client expectations, all at the same time. One wrong destruction decision can cost you years of credibility… up to R10 million in penalties or even significant jail time for serious violations.

Here’s the version no one tells small practices:

It’s not the five-year rule anymore.
It’s the “longest law wins” rule.
And if you don’t apply it, you’re at risk.

Let’s break it down, CBAP style: simple, clear, and brutally practical.

The Real Problem: One File, Three Laws, Three Timelines

Your typical client file can fall under:

  • POPIA — keep only as long as needed unless another law forces longer retention

  • SARS (TAA) — minimum five years from date of submission, extended for disputes or audits

  • Companies Act — seven years for most company records, indefinite for foundational documents like MOI and registers

Your file doesn’t care that you’re busy.
The law doesn’t care that you’re closing for December.
And your client definitely won’t care when they come back asking for something you already destroyed.

This is why professional bodies repeat the same golden rule:

When multiple laws apply, follow the longest retention period.

And that’s not a suggestion, that’s a compliance shield.

Why the “Five-Year Rule” Is Dangerous (or at least dangerously incomplete)

Some CBAPs still use this rule:

“If it’s older than five years, it’s out.”

Here’s why that’s a trap:

1. SARS’s five years doesn’t mean five years from the tax period, it means five years from when YOU submitted.

If you filed late, you created a longer retention period.

2. SARS automatically extends retention if:

  • There’s an objection

  • There’s an appeal

  • There’s an audit

  • There’s suspected misrepresentation

  • There’s a capital gain event (in some cases, retention stretches 10–15 years)

3. The Companies Act forces 7 years and for some documents, forever.

And POPIA respects those laws because POPIA allows retention when required by statute.

4. POPIA doesn’t override other laws, it yields to them.

If SARS says 5 years, POPIA agrees.
If Companies Act says 7 years, POPIA steps back.
If another law says “indefinite,” POPIA supports it.

The five-year rule isn’t wrong.

It’s just not enough.

The Mistakes CBAPs Make in December and Why They’re So Costly

Mistake 1: Destroying a file because “the purpose is finished.”

POPIA says delete when the purpose is done unless another law requires longer retention.
Spoiler: another law almost always does.

Mistake 2: Destroying records during an active SARS process.

If a file is under:

  • Audit

  • Verification

  • Dispute

  • Objection

  • Appeal

…it cannot be destroyed.
Not for five years.
Not for seven.
Not until the matter is finalized.

Mistake 3: Using an office shredder and thinking that counts as destruction.

POPIA requires destruction that prevents reconstruction.
Most office shredders don’t.
Bins definitely don’t.
A certificate of destruction does.

Mistake 4: Assuming POPIA lets you delete everything early.

POPIA allows deletion but only when ALL other laws release you.
You don’t get to choose.
The laws choose for you.

The Legal Reality

Here’s what the law actually says, no jargon:

POPIA (Section 14)

  • Keep records only as long as necessary

  • BUT you may keep them longer if another law requires it

  • When you destroy, it must be impossible to put the pieces back together

SARS (TAA Section 29)

  • Minimum 5 years from date of submission

  • Longer if:

    • You were late

    • There is an audit

    • There is an objection or appeal

    • SARS suspects misrepresentation

    • The record relates to a capital asset

Some files = 5 years
Others = 7
Some = 15
Some = “don’t even think about it yet”

Companies Act (Section 24)

  • Most company records: 7 years

  • Foundational documents: indefinite

Indefinite means for as long as the entity exists.
(Not forever in the philosophical sense, forever in the compliance sense.)

This is why the “one file, three timelines” problem is real and why only the longest timeline keeps you safe.

So What Do You Destroy? And When?

Here’s the simplest system a CBAP can use:

1. Apply the “Longest Law Wins” rule

Every time.
No exceptions.

2. Never destroy a record that is:

  • Linked to SARS queries

  • Linked to objections or appeals

  • Linked to employment disputes

  • Linked to a long-term asset

  • Linked to a company register

  • Linked to any unresolved client matter

3. Use secure destruction methods that POPIA approves of

POPIA doesn’t require a specific company.
It requires a specific outcome, that is the information must be impossible to reconstruct.

Certified destruction meets this standard and gives you evidence.

4. Keep certificates of destruction forever

Those certificates are your proof.
If you can’t prove destruction, the regulator assumes you didn’t comply.

5. Review retention schedules annually

Laws change.
Your practice evolves.
Your retention policy must evolve too.

Why This Matters for CBAPs

Compliant destruction isn’t just about avoiding fines.

It’s about:

  • Protecting yourself in disputes

  • Defending your clients

  • Positioning yourself as the expert who “keeps them safe”

  • Charging more for compliance-driven value

  • Running a practice that won’t blindside you later

When you get retention right, you sleep better.

When you get destruction wrong, you bleed time, money, and credibility.

Feeling Overwhelmed? That’s Normal and Exactly Why CIBA Exists

CBAPs tell us the same thing every week:

“Compliance is eating up my time. I don’t have a legal department, I only have me.”

You shouldn’t have to manage all this alone.

Join CIBA and we’ll show you how to turn POPIA, SARS, Companies Act, and record retention rules into simple, usable systems that protect your practice and grow your authority.

You don’t need more stress.
You need support that’s built for small practices, not big firms.

 

 

Trending

Latest Podcast

Featured
LinkedIn Live Audio - Edward James
Mar 26
LinkedIn Live Audio - Edward James
Heynes Kotze
Next

When You Go on Leave, Your Practice Doesn’t, Even in December