POPIA preliminary assessments are the responsibility of the responsible parties, however information officers are required to ensure that preliminary assessments are conducted properly and used to mitigate any negative impact on the individuals impacted by the processing of their personal data. The purpose of the preliminary assessment is to establish a record of how personal information is being processed and to evaluate the impact that this processing of personal information has on the fundamental rights of individuals, specifically their right to privacy.
The preliminary assessment should describe the processing, assess the necessity and proportionality of the processing and then be used to help manage the risks to the individuals resulting from the processing of personal data (by assessing the risks and determining the most appropriate measures to address these risks). The responsible is to seek advice of the information officer when carrying out a preliminary assessment.
Preliminary assessments are important tools for accountability as they help responsible parties to not only to comply with requirements of the Protection of Personal Information Act, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Act. In other words, a preliminary assessment is a process for building and demonstrating compliance.