The following steps could constitute a guideline for the POPIA implementation by data management professionals with an example of a step-sequence in outlining your bespoke compliance strategy keeping in mind the unique organisational approach. A cookie cutter approach is not advisable as all organisational have specific inherit risks that need to be incorporated into this process.

Table: Guideline and Step-Process to Implementation


Description and Suggestion for Data Management Teams

Step 1

·         Raise awareness of POPIA with all the data management professionals and across the organisation

·         This will ensure that all staff and professionals know about the Act, and are part of the compliance process towards a POPIA risk-adjusted mindset

·         This also looks at organisational and staff training

Step 2

·         Change the rules governing data requests and enrichment to comply with POPIA.

·         This step will ensure that all personal information extraction and manipulation is done in compliance with POPIA.

Step 3

·         Implement ISO 27001 baseline security controls (certification costs are a bit burdensome on smaller businesses. This should only be considered if the certification justifies the spend. This certification will benefit medium to larger organisations).

·         This measure will establish the baseline information security controls required to protect personal information

·         It will also help your organisation in meeting some of the GDPR requirements if your business deals with an EU data subjects.

Step 4

·         Adopt a POPIA compliance culture.

·         This will change the attitude of all data management professionals towards the POPI Act. It will also emphasise the need for urgency to comply with the POPI Act.

Step 5

·         Align IT compliance and Risk policies, processes and procedures to POPIA.

·         This measure will change all the internal operating guides, gearing them up towards the compliance

Step 6

·         Take accountability even for personal data residing with external service providers.

·         This will ensure that all personal information owned by the organisation whether residing internally or externally is treated in a similar manner.

·         The responsible party is still held responsible for data held or processed by third-parties and operators/processors

Step 7

·         Conduct POPIA compliance assessment before procuring commercial off the shelf software.

·         This measure will ensure that all IT system procurement is compliant with the requirements of POPIA.

Step 8

·         Build POPIA compliance into the key performance areas (KPA) and key performance indicators (KPI) contracts of all data management professionals and data touchpoints.

·         This step will make sure that all data management professionals and staff prioritised POPIA compliance in their day-to-day activities

Step 9

·         Finalise all requisite policies, processes and procedures to enable the POPIA within the organisation.

·         This measure will put in place all requisite governance practices to enable POPIA compliance to be achieved within the organisation.

Source: (Agbor T, et al., 2018)

Scroll to Top