Back to FICA Toolkit

POPIA Compliance Checklist

Comprehensive checklist for Protection of Personal Information Act compliance

A comprehensive checklist to ensure your organisation complies with the Protection of Personal Information Act (POPIA), Act 4 of 2013. Use this checklist to assess and maintain compliance with South Africa's data protection legislation.

1. Information Officer Appointment and Registration

  • Appoint an Information Officer (the head of the organisation is the default Information Officer under Section 1 of POPIA)
  • Consider appointing Deputy Information Officers where necessary (Section 56)
  • Register the Information Officer with the Information Regulator
  • Ensure the Information Officer understands their duties under Section 55 (encouraging compliance, handling requests, and working with the Information Regulator)
  • Develop and publish a PAIA manual (Section 51 of the Promotion of Access to Information Act) as required by Section 17 of POPIA

2. Lawful Processing Conditions

POPIA sets out 8 conditions for lawful processing in Chapter 3. Ensure your organisation meets all applicable conditions:

  • Condition 1 - Accountability: The responsible party must ensure compliance with all conditions (Section 8)
  • Condition 2 - Processing limitation: Personal information is processed lawfully, minimally, and with consent or another lawful ground (Sections 9-12)
  • Condition 3 - Purpose specification: Personal information is collected for a specific, explicitly defined, and lawful purpose (Sections 13-14)
  • Condition 4 - Further processing limitation: Further processing is compatible with the original purpose (Section 15)
  • Condition 5 - Information quality: Personal information is complete, accurate, not misleading, and updated where necessary (Section 16)
  • Condition 6 - Openness: Data subjects are made aware of information being collected and the purpose (Sections 17-18)
  • Condition 7 - Security safeguards: Appropriate technical and organisational measures are in place to protect personal information (Sections 19-22)
  • Condition 8 - Data subject participation: Data subjects can request access to, correction, or deletion of their personal information (Section 23-25)

3. Data Subject Consent and Notification

  • Obtain consent that is voluntary, specific, and informed (Section 11)
  • Ensure consent mechanisms allow data subjects to withdraw consent at any time
  • Where consent is not the lawful ground, document the applicable justification (e.g., contractual necessity, legal obligation, legitimate interest)
  • Provide notification to data subjects at the time of collection as required by Section 18 (identity of responsible party, purpose, recipients, rights, etc.)
  • Maintain records of consent obtained for each processing activity

4. Purpose Specification and Limitation

  • Document the specific purpose for each category of personal information collected (Section 13)
  • Ensure personal information is not retained longer than necessary for the purpose it was collected (Section 14)
  • Establish and document retention periods for each category of personal information
  • Implement processes to destroy, delete, or de-identify personal information once the purpose has been achieved (Section 14(4))
  • Assess any further processing against the compatibility test in Section 15

5. Data Quality and Security Safeguards

  • Take reasonable steps to ensure personal information is complete, accurate, not misleading, and up to date (Section 16)
  • Implement appropriate technical measures to protect personal information (encryption, access controls, firewalls) (Section 19)
  • Implement appropriate organisational measures (policies, training, access management) (Section 19)
  • Ensure operators (third-party processors) have adequate security measures and are bound by contract (Section 21)
  • Establish a data breach notification process as required by Section 22
  • Use VerifyNow for identity verification to ensure data quality when collecting and verifying personal information

6. Trans-border Data Transfers

  • Identify all instances where personal information is transferred outside South Africa
  • Ensure the recipient country has adequate data protection laws, or that one of the Section 72 exceptions applies
  • Where relying on consent for trans-border transfers, ensure the data subject is informed of the risks
  • Implement binding corporate rules or contractual safeguards where applicable (Section 72(1)(a))
  • Document all trans-border transfers and the legal basis relied upon

7. Record Keeping Requirements

  • Maintain a register of all processing activities conducted by the organisation
  • Document the lawful basis for each processing activity
  • Keep records of all data subject requests and the responses provided
  • Maintain records of any data breaches and notifications made
  • Keep records of all consent obtained and any withdrawals of consent
  • Ensure records are retained in accordance with your documented retention schedule and other applicable legislation (e.g., FICA requires 5 years)