Protecting personal information in accordance with the Act requires a diverse set of skills and experience. With over twenty years experience in the protection of personal information in Europe, the IT Governance Network is unique in the breadth and depth of its practical knowledge and experience. A number of its staff attended the Parliamentary meetings drafting the Protection of Personal Information Bill and they made six submissions, some of which are in the finalised Act. 

The IT Governance Network is able to assist a wide range of clients, across all industries, to fulfill the requirements for lawful processing of personal information. Its practical, legal, business and information processing services enable clients to overcome the many challenges of the privacy legislation in a pragmatic way. Its software solutions, used in Europe, are available in South Africa too.


POPIA Services and Software Solutions enabling compliance:

(see also

Available POPIA Services:

  • Executive awareness about the obligations of responsible parties
  • Identification of personal information assets and business impact of privacy concerns
  • Legal and technical privacy threat and vulnerability analysis
  • PAIA manual preparation and update
  • Comprehensive IT legal register and update service
  • Evaluation of technical and organisation measures
  • Selection and implementation of privacy safeguards
  • Contracts with service providers
  • Service provider verification
  • Privacy by design
  • Privacy training and consulting services
  • Privacy programme management.


Available POPIA Software Solutions:



  • System to assign governance, management and operational data protection tasks to persons responsible across the enterprise, processors and sub-contractors; to set priorities, implement strategy, use dashboards to track progress

Context and interested parties

  • Establish the context and expectations of interested parties.

Obligations and guidance

  • Record data protection obligations and update a knowledge base with regulatory guidance.

Objectives, scope and policy

  • System to determine the
    • data protection objectives
    • scope and planning
    • policies

for using and protecting personal data.



Inventories of processing

System to establish inventories and record:

  • details of personal data used at all locations
  • data transfers
  • outsourced processing and processes
  • sources and status of consent records
  • data protection processes and safeguards. 

Registers and libraries

System to record:

  • IT legal compliance obligations
  • contracts with processors and sub-contractors
  • data sharing templates and agreements
  • criteria for prior authorisation and consultation
  • legal, technical and organisational vulnerabilities
  • policies and operational practices
  • options for privacy by design and default
  • risk treatment options
  • risks and delegated risk owners
  • internal controls and protections to counter risks
  • audit programme templates.

Data protection impact assessments

System to conduct, record and maintain data protection impact assessments; develop privacy plans.



Involve the information officer

Orchestrate and track POPIA related work

  • Assign operational tasks, implement and operate safeguards to treat risks and log performance.

Communicate the processing of personal data

  • Inform the information regulator and data subjects.



Consent management

  • Maintain granular records and track consent received from and withdrawn by data subjects.

Case management (handle data subject requests)

  • Respond to information requests and complaints. Notify data subjects of interferences and breaches.

Operate technical and organisational measures

  • Manage measures, the information life-cycle, lawful processing of personal data, changes in processing risk.

Incident Management

  • Respond to incidents, track actions through to closure.



Demonstrate compliance with POPIA

  • Manage a central repository of artefacts, event logs and audit trails to demonstrate compliance.

Evaluate the protection of operational systems

  • Audit the technical and organisation measures.

Assess compliance with the POPIA

  • Audit compliance of system functions with the POPIA.

Monitor processor (vendor) processing and guarantees

  • Audit the status of processor compliance.

Validate processor (vendor) assertions

  • Audit the operator assertions of compliance.



 React to non-conformity and take corrective action

  • Plan, organise, direct and control the actions taken in response to non-conformance.

Continually improve suitability and adequacy

  • Create status and progress governance dashboards, and management and operational reports.

Communicate benefits realised

  • Summarise and report progress with improvements in the protection of personal data and increases in respect for data subjects’ rights.


For details of available POPIA training, visit:


Available Downloads:

Pdf King III and the protection of personal information

Pdf POPI and Big Data

Pdf POPI and Informaton Security

Pdf POPI and Responsible Parties

Pdf POPI and the PAIA Manual

Pdf POPI and Conditions for Processing Personal Information

Pdf POPI and the Information Officer

Pdf POPI and Contracts with Operators

Pdf POPI: Role of Information Officer in System Development.

Pdf POPI and the Impact on Cloud Computing.

Pdf POPI and the Impact on Healthcare Catering.