EDITORIAL NOTE

The client featured in this article runs one of the largest legal firms in KwaZulu-Natal. At their request, their name and the name of their firm have been altered to ensure complete anonymity. The details of their experience, their POPIA compliance concerns, and the outcomes they have achieved at Capital Vaults are real and accurately represented.

---

SNAPSHOT  |  Reading time: 10 minutes

When Priya Naidoo joined her father’s law firm straight out of articles, she inherited not just a practice — but two decades of original signed client documents. When POPIA came into effect, she realised that the filing room protecting those documents was not just inadequate. It was a liability.

What you will learn:

• Why one of KZN’s leading legal firms identified physical document storage as their most significant POPIA compliance gap
• The specific risk events that accelerated the decision to move client originals off-site
• How Capital Vaults was identified as a POPIA-aligned solution — and what the transition looked like

What other legal and financial professionals can learn from this firm’s experience

---

Priya Naidoo has been running Naidoo Mahomed & Associates — one of KwaZulu-Natal’s largest commercial law firms — for eleven years. She joined the practice her father built over two decades, learned every file, every client, every story that came through the door, and eventually took the helm when he retired.

She is not someone who makes decisions lightly. The firm’s reputation for meticulous documentation, rigorous confidentiality, and flawless client service is something she has spent her career building. So when she tells you that moving the firm’s most sensitive physical documents to Capital Vaults was one of the easiest decisions she has made in eleven years, it is worth paying attention to why.

 

The Filing Room That Kept Her Awake at Night

The filing room at Naidoo Mahomed & Associates is what you would expect from a twenty-year-old firm with an extensive commercial practice: floor-to-ceiling filing systems, carefully labelled, meticulously organised. Original signed documents from transactions dating back to the firm’s founding. Wills. Shareholder agreements. Property transfer documents. Signed powers of attorney. Original trust deeds.

The room is locked. Only senior staff have access. The building has an alarm system and armed response.

And none of that, Priya realised when POPIA came into full effect, was actually sufficient.

“We went through a comprehensive POPIA compliance review in 2022,” she explains. “The review covered our digital systems extensively — data processing agreements, privacy policies, cybersecurity protocols. Those were important and we addressed them properly. But when we got to the physical documentation, the review essentially flagged the filing room as our single largest compliance gap.”

The gap was specific: under POPIA, a responsible party must take appropriate, reasonable technical and organisational measures to prevent unauthorised access to personal information. The filing room, despite its locks and alarm, did not meet that standard for two reasons.

First, multiple staff members had physical proximity to client files as a function of their daily roles. Filing clerks, legal secretaries, and paralegal staff operated in and around the filing room regularly. The potential for inadvertent or deliberate unauthorised access was real and, under POPIA, the firm’s responsibility.

Second — and this was the risk that Priya found most uncomfortable — there had been a break-in at the building three years earlier. Nothing from the filing room had been taken. But the building had been entered. And the understanding that their physical security was not impenetrable stayed with her.

What Changed After the Break-In

The break-in three years earlier had been a commercial burglary focused on electronics — laptops, screens, a small amount of petty cash. The perpetrators had been in the building for approximately 45 minutes, based on CCTV analysis. They had passed the filing room door four times.

“The CCTV footage from that night is something I still think about,” Priya says. “The filing room was locked. But the lock is a standard commercial deadbolt. It would not have slowed someone down for more than a few minutes if they had known what was behind it.”

After the break-in, the firm upgraded its alarm system and invested in reinforced doors. These were sensible responses. But they addressed the perimeter, not the documents themselves.

“What I came to understand,” Priya explains, “is that no amount of improvement to the building’s security infrastructure changes the fundamental reality: the documents are in the building. And the building can be breached. What I needed was for the most sensitive originals to not be in the building at all.”

 

Finding Capital Vaults — and the POPIA Conversation

Priya’s first contact with Capital Vaults came through a colleague at a legal networking event. The conversation started with the technology — the robotic retrieval system, the Grade 7-2 vault, the biometric access.

“I am a lawyer,” she says drily. “I started asking the POPIA questions immediately. Who accesses the records of who visits? What is the data retention policy for biometric information? Can access be structured so that my paralegal can retrieve a document without being able to see what else is in the box?”

She found the answers satisfying. More than satisfying, actually.

“The zero-human-interaction element is the one that closed it for me. When I store client originals at Capital Vaults, not a single staff member at that facility ever sees those documents, handles them, or knows they exist. From a POPIA perspective, that is not just adequate — it is superior to virtually any other physical storage option available.”

 

The Transition — What Was Moved, and Why

Not everything in the filing room moved to Capital Vaults. The firm was methodical about the transfer.

The documents that moved were those that met two criteria: original signed documents with no practical ability to recreate them, and documents whose contents are directly protected under POPIA as personal information of identifiable individuals.

Original signed wills and codicils. Trust deeds. Shareholder agreements and joint venture contracts involving individual parties. Signed powers of attorney. Original title deed copies. Personal financial documentation and loan agreements. Certain categories of correspondence.

“We also moved a hard drive containing encrypted backups of our digital document management system,” Priya notes. “If we ever had a catastrophic digital failure — ransomware, a server room fire — that drive is the recovery point. It is in a Grade 7 vault. It will still be there.”

The Experience — and What Changed

Priya visits Capital Vaults between two and four times a month, typically early in the morning or late in the evening around client commitments.

“The 24/7 access is something I use constantly,” she says. “If I have a client meeting at 7:30am and I need the original trust deed from 2008, I can go at 6am. I do not need to coordinate with anyone. I do not need to unlock the office early. I go, I get it, I leave. The whole visit is fifteen minutes.”

The privacy of the experience has also been notable. “I am not visible. There is no record of my coming and going that exists in any person’s mind. For a law firm, that discretion has a value that goes beyond security compliance.”

The firm has also used the joint-access feature for one specific box containing the most sensitive partnership documents. “Two senior partners have access to that box, and it requires both of us to open it. That is a control mechanism we could not replicate in any other storage environment without significantly more infrastructure investment.”

 

The Advice She Would Give Other Legal Professionals

Priya is direct about what she would say to other attorneys, accountants, and financial professionals who have not yet addressed physical document security under POPIA.

“POPIA compliance is not optional, and the physical dimension of it is real. If you are storing original client documents in a filing room that has standard commercial security, you have a gap. If that room is accessible to support staff as part of their normal duties, the gap is significant.”

“Go and see Capital Vaults before you form an opinion about it. I went in expecting a storage facility and I found a security infrastructure that I genuinely could not fault. The POPIA conversation with the Information Regulator, if it ever happens, is one I can now have with complete confidence.”

“Excellent and professional service. They are patient and tolerant. I had no doubt to sign up immediately after my presentation.”

— Gerald Moodley, Capital Vaults Client

 

Visit capitalvaults.com or call 010 025 6361 to explore how Capital Vaults can address physical document security for your professional practice. Tours are available on request — no obligation required.