Protection of Personal Information (POPIA) & the Right to Access to Information (PAIA)

Disclaimer & Website Terms of Use


Things to do

The deadline was 1 July 2021, but it’s not too late …


  1. Register your Information Officer at
  2. Conduct a detailed personal information impact assessment: how are you currently processing personal information (who, what, how, where?), what are the risks?
  3. In reply to the personal information and the risks you have identified in your impact assessment, develop a compliance framework: an internal document that will be the point of reference for the Information Officer, staff and (if requested) the Information Regulator to implement, monitor and verify your POPIA compliance
  4. What is your legal basis for processing personal information? Is it based on (documented!) consent or necessary to protect your, a data subject’s or a third party’s legitimate interest? Is it imposed by law or by a contractual obligation?
  5. Compile a (“Section 51”) POPIA/PAIA manual and make it publicly available (eg. via your website) You’ll find (outdated) guidelines on how to develop a PAIA manual here. The Regulator has announced a new template (not yet available).
  6. Establish internal procedures to process requests for access, objection, amendment or deletion of personal information from data subjects or the Information Regulator
  7. Educate your staff on how to lawfully process personal information of employees, clients, customers, suppliers, guests, etc.


Keep an eye out for “codes of conduct” for your business sector. POPIA allows organisations that “sufficiently represent any class of bodies, or any industry, profession, or vocation” to draw up their own, more specific conditions for processing personal information.