Protection of Personal Information

Various charts display progress with the implementation of the POPIA compliance framework as well as the status of the technical and organisational measures implemented to protect personal information.

POPIA personal information impact assessments are the responsibility of the responsible parties, however information officers are required to ensure that personal information impact assessments are conducted properly and are used to mitigate any negative impact on the individuals affected by the processing of their personal information. The purpose of the personal information impact assessment is to establish a record of how personal information is being processed and to evaluate the impact that this processing of personal information has on the fundamental rights of individuals, specifically their right to privacy.

The personal information impact assessment should describe the processing, assess the necessity and proportionality of the processing and then be used to help manage the risks to the individuals resulting from the processing of personal information (by assessing the risks and determining the most appropriate measures to address these risks). The responsible is to seek advice of the information officer when carrying out a personal information impact assessment.

Personal information impact assessments are important tools for accountability as they help responsible parties to not only comply with requirements of the Protection of Personal Information Act, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Act. In other words, a personal information impact assessment is a process for building and demonstrating compliance.

For more information about How to perform an Personal information Impact Assessment 

For help with your personal information impact assessments, contact an experienced information officer at email: This email address is being protected from spambots. You need JavaScript enabled to view it.


The Information Regulator has issued Regulations relating to the protection of personal information. These Regulations clarify some of the requirements of the Protection of Personal Information Act and add further obligations related to the processing of personal information.

More about the Regulations ...

Additional duties and responsibilities of information officers

4(1) Subject to the provisions of section 55 of the Act, an information officer must ensure that:

  1. a compliance framework is developed, implemented and monitored;
  2. adequate measures and standards exists in order to comply with the conditions for the lawful processing of personal information;
  3. preliminary assessments are conducted;
  4. a manual for the purpose of the Promotion of Access to Information Act and the Act is developed detailing—
    • the purpose of the processing;
    • a description of the categories of data subjects and of the information or categories of information relating thereto; (iii) the recipients or categories of recipients to whom the personal information may be supplied;
    • the planned trans-border or cross border flows of personal information; and
    • a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party;
  5. the manual referred to in paragraph (d) is available—
    • on the website, of the responsible party; and
    • at the office or offices of the responsible party for public inspection during normal business hours of that responsible party;
  6. internal measures are developed together with adequate systems to process requests for information or access thereto; and
  7. awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.

Information officer tools

The Regulations relating to the protection of personal information require information officers to ensure that internal measures are developed together with adequate systems to process requests for information or access thereto. 

More about Tools ...


King IV Corporate Governance Assessment

King IV assessmentAssess the current level of your organisation's corporate governance using this King IV assessment tool.


COBIT Assessment as a Service

COBIT 5 AssessmentConduct a COBIT assessment using this COBIT Assessment-as-a-Service.


POPIA Preliminary Assessments

it governance oversightPOPIA preliminary assessments provide an efficient and effective approach to determining the extent to which the requirements of the Protection of Personal Information Act have been addressed.


Go to top