Why choose the IT Governance Network?

Global leaders in the design and implementation of IT governance frameworks and mechanisms.

Experienced, skilled and practical assistance in building capability and improving performance.

Quick and effective value delivery and the governance of risk management.

POPIA Compliance Framework and Monitoring System

POPI Compliance FrameworkThe Protection of Personal Information Act is technical and complex, it requires a wide range of technical and organisational measures to be implemented to protect the rights of natural and juristic persons to privacy.  To ensure compliance, the Information Regulator requires all organisations to develop and implement a compliance framework so that they can effectively monitor the protection afforded natural and juristic persons. 

A functionally rich POPIA Compliance Framework and Monitoring System supports small and large organisations effectively and efficiently achieve POPIA compliance. It enables organisations to jump start their POPIA programme by implementing an international standards-based POPIA compliance framework.   

More about the POPIA Compliace Framework and Monitoring System ...

An operator processing personal information on behalf of a responsible party or another operator, must process such information only with the knowledge or authorisation of the responsible party. The operator must ensure that the personal information being processed on behalf of a responsible party is complete, accurate, not misleading and update to date.

The responsible party must clarify in its contracts with operators, the services that the operators are engaged to provide. The transfer of personal information to the operator must be limited to what is necessary for the operator to fulfil its contractual obligations.

Operators may not further process personal information unless the purpose is compatible with the original purpose for which it was collected unless consent was obtained.

Security Safeguards

A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.

Responsible parties are required to identify all reasonable foreseeable internal and external risks, and in terms of a written contract between the responsible party and the operator, ensure that the operator establishes and maintains the measures necessary to secure the confidentiality, integrity and accuracy of personal information in its possession or under its control.

Responsible parties may not enter into contracts with operators who cannot process personal information lawfully.

Technical and Organisational Measures

The contract between the responsible party and the operator must provide details of the technical and organisational measures that the responsible party has identified necessary for the operator to establish and maintain to address the internal and external risks to the processing of personal information, as identified by the responsible party.

The contract between the parties must also indicate that the responsible party understands the conditions under which the personal data will be handled by the operator.

The responsible party must verify that the operator has fulfilled its contractual obligations to implement and maintain effective technical and organisational measures to safeguard the data subjects’ rights.

The responsible party must validate the effectiveness of the technical and organisational measures implemented.

Service Provider Capability

Data subjects have the right to expect that the operator adheres to the conditions for lawful processing of personal information and therefore operators must be transparent in all aspects of the processing of personal information.

Data subjects have the right to request the deletion and destruction of personal information when this information is not accurate, irrelevant, excessive, out of date, incomplete or obtained lawfully. Operators will be required to destroy all personal information obtained unlawfully and may be requested to provide assurance that this was done properly.

At least annually, the responsible party must verify that the operators’ processing of personal information is lawful and the technical and organisational safeguards effective.

COBIT 5 Assessor mistakes!

Common mistakes by COBIT 5 assessors.

View video

King IV Corporate Governance Assessment

King IV assessmentAssess the current level of your organisation's corporate governance using this King IV assessment tool.


COBIT Assessment as a Service

COBIT 5 AssessmentConduct a COBIT assessment using this COBIT Assessment-as-a-Service.


POPIA Preliminary Assessments

it governance oversightPOPIA preliminary assessments provide an efficient and effective approach to determining the extent to which the requirements of the Protection of Personal Information Act have been addressed.


Go to top