The purpose of a compliance framework for the Protection of Personal Information Act is to establish, develop, implement, evaluate, maintain and improve an effective and responsive monitoring system within the context of the organization and its use of personal information.

The content of the compliance framework will differ depending on the size and level of maturity of an organization and on the context, nature and complexity of the organization’s business activities. It should be based on the principles of good governance, proportionality, transparency and sustainability.

There are a number of reasons why an organization is required to have a compliance framework and monitoring system:

  • Being able to demonstrate commitment to compliance with the POPI Act, including the Regulations for the Protection of Personal Information, codes of conduct, binding corporate rules, organisational standards for data protection as well as standards of good corporate governance, best practices, ethics and data subject expectations.
  • Being able to safeguard their integrity, and avoid or minimize non-compliance with the Protection of Personal Information Act and its Regulations.
  • Being able to demonstrate socially responsible behaviour.

The compliance framework preserves a culture of respect for individual rights and the SA Constitution. Compliance with the Protection of Personal Information Act is made sustainable by embedding it in a culture, behaviour and attitude of the people working for an organization.
It is important that the compliance framework and monitoring system is part of and integrated with the organization’s processes and overall management structure and that compliance is considered in the design of:

  • organisational processes
  • information systems, and
  • internal controls.

It is expected that the compliance framework and monitoring system implementation will be scaled in accordance with the needs of the organisation. The Protection of Personal Information Act requirements are technical and complex and its implementation should be crafted for the specific needs of the organisation’s data subjects.

POPIA requires a process approach for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance framework within the organisation. Every organisation needs to identify and manage many activities related to the processing of personal information in order to function effectively, therefore a process approach is adopted to understand and accurately assess the impact of the processing of personal information on the affected data subjects.


Why Processes?

Processes serve as the foundation for the definition of the remaining  elements – technology and people.

Processes capture and document:

  • ownership, responsibilities, measurements
  • consistent, structured working practices
  • policy decisions, scope and objectives
  • clear interfaces between the processes.

Processes ensure a stable, controlled, repeatable delivery of products and services that can be objectively measured against data protection objectives.