POPIA personal information impact assessments are the responsibility of the responsible parties, however information officers are required to ensure that personal information impact assessments are conducted properly and are used to mitigate any negative impact on the individuals affected by the processing of their personal information. The purpose of the personal information impact assessment is to establish a record of how personal information is being processed and to evaluate the impact that this processing of personal information has on the fundamental rights of individuals, specifically their right to privacy.
The personal information impact assessment should describe the processing, assess the necessity and proportionality of the processing and then be used to help manage the risks to the individuals resulting from the processing of personal information (by assessing the risks and determining the most appropriate measures to address these risks). The responsible is to seek advice of the information officer when carrying out a personal information impact assessment.
Personal information impact assessments are important tools for accountability as they help responsible parties to not only comply with requirements of the Protection of Personal Information Act, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Act. In other words, a personal information impact assessment is a process for building and demonstrating compliance.