Top 20 health-check questions for POPI Act compliance

Content provided by IACT Africa, specialist business consulting company with a focus on assisting organisations to add strategic value to IT Governance and IT Management.

Almost all organisations are faced with the challenge of achieving and maintaining compliance with the POPI Act. This handy Self-Assessment allows you to quickly identify the areas you need to focus on to be compliant with the POPI Act. Score one point for each “Yes” answer and then read the rating scale for your score below.

 *Protection of Personal Information Act No. 4 of 2013 (POPI Act).


Item #

Self-Assessment Item



Have we formally appointed an Information Officer to handle POPI (by default the Designated Head)? (Accountability)



Have we established a formal POPI project charter with scope, budget, timescale etc? (Accountability)



Do we have a policy for dealing with Personal Information protection issues? (Accountability)



Can we prove we have trained our staff in their responsibilities under the POPI Act? (Accountability)



Can we show the Personal Information we process is not excessive? (Minimality)



Do we clearly specify what we are going to use the Personal Information for? (Specific purpose)



Can we prove that the people whose Personal Information we process have given their consent? (Consent)



Do we have an appropriate POPI-compliant privacy notice on our web site? (Notification)



Do we have POPI-compliant procedures for notification of security compromises? (Security)



Can we prove we are respecting the rules about Special Personal Information? (Special Personal Information)



Can we prove the Personal Information processed is accurate and up to date? (Information Quality)



If we are asked to pass on Personal Information, are my staff clear when the Act allows them to do so? (Further processing)



Can we prove the Personal Information is being held securely, whether it’s on paper or on computer or any other format? (Security)



Do we have an up-to-date PAIA manual on our website? (Openness)



Do we have a process to handle Data Subject requests? (Data Subject participation)



Do we appropriately delete/destroy Personal Information in line with our retention policy? (Effective destruction & Retention Periods)



Have we reviewed all our contracts and policies to ensure POPI-compliant conditions? (Consent, Notification and Security)



Can we prove we are complying with the Electronic Direct Marketing requirements?  (Chapter 8)



Can we prove we are complying with the Trans-border flows requirements? (Chapter 9)



Do we have a plan to sustain ongoing compliance with the POPI Act? (All aspects of the Act)


Total (score 1 point for each “Yes” answer)


Score interpretation:


0 – 5: DANGER ALERT: This indicates you fail to reach compliance to a very great extent. Recommendation: act now by completing a full assessment and implement a remedial action plan.

6 – 10: HEALTH-CHECK ALERT: You have made some progress but there are still lots of areas that are non-compliant. Recommendation: act now by completing a full assessment and implement a remedial action plan.

11 – 15: YOU ARE GETTING THERE: Well done, you are on the road to achieving compliance. Recommendation: focus on those areas where you answered “No”.

16 – 20: WELL DONE. You are in good shape but still have some work to do. Recommendation: make sure you have all the proof needed to justify your answer and focus on achieving the same performance level in the remaining areas. And remember, achieving and maintaining compliance is a journey, not a destination.


Acknowledgement: This self-assessment was developed by Dr Peter Tobin & Mr John Cato.

For more information and practical advice please contact the authors of this self-assessment who have the knowledge, skills and experience to support you in your journey to compliance with the POPI Act:

Dr Peter Tobin or 083-922-3444

No votes yet