Various charts display progress with the implementation of the POPIA compliance framework as well as the status of the technical and organisational measures implemented to protect personal information.
POPIA preliminary assessments are the responsibility of the responsible parties, however information officers are required to ensure that preliminary assessments are conducted properly and are used to mitigate any negative impact on the individuals affected by the processing of their personal data. The purpose of the preliminary assessment is to establish a record of how personal information is being processed and to evaluate the impact that this processing of personal information has on the fundamental rights of individuals, specifically their right to privacy.
The preliminary assessment should describe the processing, assess the necessity and proportionality of the processing and then be used to help manage the risks to the individuals resulting from the processing of personal data (by assessing the risks and determining the most appropriate measures to address these risks). The responsible is to seek advice of the information officer when carrying out a preliminary assessment.
Preliminary assessments are important tools for accountability as they help responsible parties to not only comply with requirements of the Protection of Personal Information Act, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Act. In other words, a preliminary assessment is a process for building and demonstrating compliance.
The Information Regulator has issued Regulations relating to the protection of personal information. These Regulations clarify some of the requirements of the Protection of Personal Information Act and add further obligations related to the processing of personal information.
4(1) Subject to the provisions of section 55 of the Act, an information officer must ensure that:
The Regulations relating to the protection of personal information require information officers to ensure that internal measures are developed together with adequate systems to process requests for information or access thereto.