Various charts display progress with the implementation of the POPIA compliance framework as well as the status of the technical and organisational measures implemented to protect personal information.
POPIA personal information impact assessments are the responsibility of the responsible parties, however information officers are required to ensure that personal information impact assessments are conducted properly and are used to mitigate any negative impact on the individuals affected by the processing of their personal information. The purpose of the personal information impact assessment is to establish a record of how personal information is being processed and to evaluate the impact that this processing of personal information has on the fundamental rights of individuals, specifically their right to privacy.
The personal information impact assessment should describe the processing, assess the necessity and proportionality of the processing and then be used to help manage the risks to the individuals resulting from the processing of personal information (by assessing the risks and determining the most appropriate measures to address these risks). The responsible is to seek advice of the information officer when carrying out a personal information impact assessment.
Personal information impact assessments are important tools for accountability as they help responsible parties to not only comply with requirements of the Protection of Personal Information Act, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Act. In other words, a personal information impact assessment is a process for building and demonstrating compliance.
The Information Regulator has issued Regulations relating to the protection of personal information. These Regulations clarify some of the requirements of the Protection of Personal Information Act and add further obligations related to the processing of personal information.
4(1) Subject to the provisions of section 55 of the Act, an information officer must ensure that:
The Regulations relating to the protection of personal information require information officers to ensure that internal measures are developed together with adequate systems to process requests for information or access thereto.