top of page

10 Steps to POPIA Compliance

Updated: Jul 14, 2021

The deadline for compliance with with the provisions of the Protection of Personal Information Act No 4 of 2013 has come and gone. If your organisation has not yet complied, it is not too late.

Here are 10 things which every business can do to approach compliance.

1. Appoint and register your Information Officer

With the commencement of POPIA, the role of the Information Officer has expanded

greatly, who now must ensure that the organisation complies with the provisions of PAIA as well as POPI.

Every organisation that falls under POPIA, must appoint an Information Officer and register that Information Officer with the Information Regulator.

2. Finalise your POPI Act compliance project

Complying with the POPI Act is not a simple process or something that can be done overnight. A proper project should be formalised to achieve this goal.

To this end every applicable organisation should identify the necessary stakeholders, the project sponsor, a project manager and the project goals and set the scope, timeline and budget for the project.

3. Train all stakeholders in your organisation

Personal Information will at some be handled by people in your organisation. Because POPIA compliance is fairly new, chances are that most stakeholders in your organisation are not aware of the stringent requirements of processing Personal Information. It is therefore imperative that these people be properly trained in the meaning of the Act, their obligations when processing Personal Information and the risks of not complying with these obligations.

4. Compile your PAIA manual

Find out if your organisation needs to have a PAIA manual as stipulated by the Promotion of Access to Information Act (PAIA). This is essentially this is a document that explains to people how they can obtain access to certain records held by an organisation.

If your organisation is not exempt, the current deadline for compiling a PAIA manual is 30 June 2021.

5. Compile your Privacy Policy

One of the cornerstones of the Protection of Personal Information Act, is the obligation relating to transparency - informing your

data subject on how you process their Personal Information. Having a properly drafted Privacy Policy that gives details on what information is processed and how it is processed, is the best and easiest way to comply with this obligation.

6. Perform a Gap-Analysis

A GAP-analysis is a method of comparing the actual status quo to desired level or target. For purposes of POPIA, this me

ans analysing your organisations current processes and policies and comparing that to the standard as set in the POPI Act.

Remember that a gap-analysis is always about where you want to be - in this case you want to be compliant with the Act.

7. Identify the sources of Personal Information

It is highly likely that there are various sources of Personal Information within your organisation. In order to comply with the Protection of Personal Information Act, you first have to understand where that Personal Information is being processed. Once you can identify every source, you are able to set up the correct policies and procedures on how to process every piece of Personal Information lawfully, in terms of the Act

8. Develop POPIA compliance policies

Once you have completed your gap-analysis and identified all the sources of Personal Information within your organisation, you should finalise compliance policies on the lawful processing of Personal Information within your organisation.

You should review existing policies and update them where necessary to bring them in line with the requirements of POPIA. If there are no policies new ones should be developed and communicated to all stakeholders. Ensure that your POPI policies are reasonable, appropriate, and enforceable.

9. Implement POPI compliant processes

Together with your POPI compliance Polices, you should formulate and implement POPI compliant processes. These processes must address the full Personal Information lifecycle, including acquisition, processing, retention and destruction of the information. Processes must be reasonable and appropriate and should also include self-assessment, health checks and audits as well as a dashboard for compliance.

10.Make POPI processes the "new normal"

Your orginasation and all stakeholders must come to a point where lawful processing of Personal Information in terms of the POPI Act should be business-as-usual, rather than a once-off effort to comply with the Act. Build POPI into your everday operations and ensure ongoing monitoring of Personal Information protection.

EeziLaw can assist your business with these steps and more in order for your business to become POPI compliant.


bottom of page