1. Written appointment of the Information Officer (IO) unless it is the Chief Executive in which case the appointment is automatic by law. Also, appoint Deputy IOs if you believe this is necessary.
  2. Register the IO and DIO on the Information Regulator (IR) website and get your certificate of registration.
  3. Draft/ update your POPI policy and practice manual.
  4. Draft an Incident Response Plan (i.e. a plan that explains what happens if the Personal Information (PI) under your or your “operator’s” management and control is compromised).
  5. Draft/update your Privacy Policy for your website and business.
  6. Set up training sessions for your managers and staff who process PI and at the training ensure that: (i) you have an attendance register. (ii) you have them sign the Annexure to the Employment Contract on POPI, and (iii) you hand out the POPI policy for their reference.
  7. Ensure your s51 PAIA manual is crafted and posted on your website.
  8. Identify all “operators” as defined and ensure you enter into/obtain their contractual terms relating to POPI. Remember at least two matters must be addressed in that POPI contract with the “operator”:

(i) the operator must warrant that it complies with POPI and related PI statute, and
(ii) that it will immediately advise you if the information you provided to the operator is compromised whilst in the hands of the operator.

This is because YOU will have to report the data breach to the Regulator and contact the impacted data subjects.

  1. Data subject participation: Remember that ALL previous, current and past suppliers, employees and clients/ customers have the right under POPI to participate in their data which basically means they must have a simple and effective channel (recorded by the employer) that allows them to contact the IO/ DIO to request UPDATE, DELETION, DESTRUCTION, OBJECTION, COMPLAINS, OPTING IN (for e-marketing purposes).

Remember that from 1 July 2021 all new data subjects must give their permission for e-direct marketing before you send out marketing collateral.

  1. I highly recommend you list all systems, tech and programmes you use and have your IT department give written assurance that all is in order – firewalls, anti-virus, user access, back-ups, encryption, etc.
  2. Finally, an impact assessment matrix that requires each function to identify processes that they engage in that process PI and then to ensure the systems and staff conduct is up to scratch. If any PI is sent outside of SA borders, Special PI is dealt with or under 18-year data subjects that the necessary POPI provisions are complied with.

If you have any questions about the above, please contact John Botha on


Compulsory Vaccination: To Compel At Your Workplace Or Not?

Posted on August 3, 2021

The Importance Of Employee Performance Management Policies

Posted on July 14, 2021

The Treadmill Of Life

Posted on July 12, 2021

The Winds Of Change Are Upon Us

Posted on June 21, 2021

The Secret Of Your Future Is Hidden In Your Daily Routine

Posted on June 11, 2021

Diversity Matters

Posted on June 4, 2021

Defining And Measuring Performance Within Diverse Work Conditions

Posted on May 28, 2021

Can An Employer Question A Disciplinary Hearing Conducted By A Third Party?

Posted on May 26, 2021

When The Employer Is Too Quick On The Draw In A Misconduct Dismissal

Posted on May 24, 2021

A New Approach To Training Employees

Posted on May 23, 2021