This is not a paywall.

Register for free to continue reading.

We made a promise to you that we’ll never erect a paywall and we intend to keep that promise. We also want to continually improve your reading experience and you can help us do that by registering with us. It’s quick, easy and will cost you nothing.

Nearly there! Create a password to finish up registering with us:

Please enter your password or get a login link if you’ve forgotten

Open Sesame! Thanks for registering.

Don’t get complacent about POPIA: time for a data pro...

Sponsored Content

Almost one year ago, the Protection of Personal Information Act, 2013 (“POPIA”) came into force.

While some organisations appear to be content (and very likely complacent) about the effort they’ve invested to date to comply with POPIA, proactive organisations are now reflecting on the past year, and are strongly advised to:

  • assess whether the compliance measures they’ve taken to date meet the minimum requirements for compliance; and
  • establish what (if any) improvements can be made.

Many organisations have invested large amounts of time and money into their POPIA compliance. However,  numerous organisations are still unsure as to what the “must-haves” or mandatory obligations are when it comes to compliance, and where they should now be focussing their attention.

Some organisations are also not sure whether the time and effort invested in their compliance initiatives to date meet the minimum requirements for compliance.

With POPIA’s first anniversary looming, a question that many organisations are beginning to ask is: “Have we done enough to comply?”.For such organisations, a data protection health check is prescribed.

Below, we briefly discuss current trends and challenges we’ve seen many organisations face so far.

Theoretical to operative compliance

Many organisations are able to demonstrate a good level of “theoretical” POPIA compliance set out in their policies. However, it is less clear whether what has been documented on paper has actually been implemented in practice and whether operative compliance has been achieved.

For example, a business may have a well-drafted data subject access request policy, but staff may not be trained adequately to identify a data subject access request or to distinguish it from a request for a record in terms of the Promotion of Access to Information Act, 2002 (“PAIA”) and employees fall victim to phishing attacks.

Lack of knowledge, governance and training

Many organisations have not yet appointed information officers (or registered these officers with the Information Regulator). In terms of POPIA read with PAIA, the chief executive officer or their equivalent would automatically be the information officer unless they authorise another person to act in this role.

Without leadership from a properly trained information officer and a suitable compliance framework in place, policies and procedures of a business are not sufficiently understood and implemented by the workforce.

Data breaches most often occur due to human error when people and teams are unaware of what they should be doing to ensure compliance. Training for the information officer and staff should be ongoing (we recommend yearly and upon induction) and should be practical, easy to understand and relevant to the roles of those being trained.

Lack of key documentation

Although many organisations have good policies in place, some organisations are still missing key documentation to evidence accountability in terms of POPIA.

For example, many organisations do not have a process for conducting personal information impact assessments or have policies or procedures in place to deal with data subject access requests. 

Many organisations either do not have PAIA manuals in place or their manuals are outdated and do not take the changes into consideration brought about by the latest regulations promulgated in terms of PAIA.

In addition, existing incident response plans are often impractical and do not adequately address cyber insurance and the interaction between the notification requirements under POPIA and the Cybercrimes Act, 2020.

Data subject rights requests

Many organisations fail to understand how to balance the rights to access information in terms of POPIA and PAIA and the grounds for refusal of such requests. This may lead to complaints to the Regulator.

Risk assessments

While POPIA requires that information officers conduct a preliminary risk assessment, the reality is that businesses evolve with time and risks assessments concluded a year ago often don’t reflect the reality of the organisation’s processing activities. This is a major compliance gap. DM/BM

For further information, please contact:

Era Gunning


[email protected] 

Ridwaan Boda


[email protected] 


Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

No Comments, yet

Please peer review 3 community comments before your comment can be posted