Activities POPIA Compliance Management Framework
| Objective: Create a POPI Compliance Management Framework in terms of paragraph 4(1)(a) of the Regulations in terms of the POPI Act |
| NOTE: All categories and activities are approximations and will depend on the specifics of your project. If appointed and registered, the Information Officer may take the role of Project leader. |
Included in the toolkit
Compliance Statement
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 00.0 | Create _Compliance Statement | _Compliance Statement | Optional |
Documentation Management
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? | |||
| 00.0 |
Create Summary 0 – Documentation Management |
00.0_Summary Category 0_00_Documentation Management |
Optional | ||||
| 00.1 |
Create Summary POPIA Compliance Management Framework |
00.1_Summary POPIA Compliance Management Framework |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(a) |
Mandatory | |||
| 00.2 |
Create a Document Retention and Destruction Policy |
00.2_Document Retention and Destruction Policy. | POPIA: Section 14 & 109(3)(g) | Mandatory | |||
| 00.3 |
Create a Personal Information Assets Information Classification Matrix and Handling Guide |
00.3_Personal Information Assets Information Classification Matrix and Handling Guide |
POPIA: Section 109(3)(g) | Recommended | |||
| 00.4 |
Create an Archiving of Records Register [To keep record of documents in archive] |
00.4_Archiving of Records Register | POPIA: Section 14 & 109(3)(g) | Mandatory | |||
| 00.5 | Create a Record Disposal Certificate [To keep record of disposed documents] | 00.5_Record Disposal Certificate | POPIA: Section 14 & 109(3)(g) | Recommended | |||
| 00.6 | Create a Records Disposal Register [To keep record of disposed documents] | 00.6_Records Disposal Register | POPIA: Section 14 & 109(3)(g) | Recommended | |||
| 00.7 |
Develop & Implement a Register of Processing Documentation |
00.7_Section 17 Register of Processing Documentation |
POPIA: Section 8 & 17 Regulation: | Mandatory | |||
| Additional Resource | Presentation: POPIA Awareness4_Security Measures in the Context of POPI – Leadership | ||||||
Preparation for the Project
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 01.0 |
Create Summary 1 – Preparation for the Project |
01.0_Summary Category 01.0 – Preparation for the Project |
Optional | |
| 01.2 | Develop a risk assessment questionnaire and conduct a risk assessment. |
01.2_POPI Security Risk Assessment – Companies |
POPIA: Section 8, 19 & 109(3)(g) Regulation: R. 4(1)(d) |
Mandatory |
| 01.4 | Draw up an executive letter form the head of the Organisation to show to the staff, outside contractors that the top management support the implementation of a POPI Compliance Management Framework for the Organisation. | 01.4_POPI Executive Support Letter |
POPIA: Section 8 Regulation: R. 4(1)(e) |
Mandatory |
| 01.5 |
Draw up a cover letter for Staff Members Knowledge Questionnaire |
01.5_Project Cover letter for Staff Members Knowledge Questionnaire |
POPIA: Section 8 Regulation: R. 4(1)(e) |
Mandatory |
| 01.6 |
Draw up a cover letter for Leadership Knowledge Questionnaire |
01.6_Project Cover letter for Leadership Knowledge Questionnaire |
POPIA: Section 8 Regulation: R. 4(1)(e) |
Recommended |
| 01.7 | Develop a start questionnaire to determine staff members knowledge |
01.7_Project Start Questionnaire Staff Members Knowledge |
POPIA: Section 8 Regulation: R. 4(1)(e) |
Recommended |
| 01.8 | Develop a start questionnaire to determine leadership knowledge |
01.8_Project Start Questionnaire Leadership Knowledge Questions |
POPIA: Section 8 Regulation: R. 4(1)(e) |
|
| 01.9 | Develop a checklist to determining the data protection designation of the organisation |
01.9_Determining the Data Protection Designation of the Organisation |
POPIA: Section 1 | |
| Additional Resource |
12.1.2_Checklist_Staff Awareness Training 12.2.2_Guideline Are you a Responsible Party or an Operator |
|||
Implement & Maintain Governance & Leadership Structure
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 02.0 |
02_Implement & Maintain Governance & Leadership Structure |
02_Implement & Maintain Governance & Leadership Structure |
||
| 02.1 | Develop and implement a Personal Information Protection Policy. |
02.1_Personal Information Protection Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Mandatory |
| 02.2 |
Draw up an appointment letter for the Information Officer |
02.2_Appointment Letter Information Officer |
POPIA: Section 55(1), 55(2) PAIA: Section 17, 90(1), 90(2), 90(3) & 77K POPIA Regulation: R. 4 |
Mandatory |
| 02.3 | Draw up a letter for the Authorisation of an Information Officer |
02.3_Authorisation Letter Information Officer |
POPIA: Section 55(1), 55(2) PAIA: Section 17, 90(1), 90(2), 90(3) & 77K POPIA Regulation: R. 4 |
Optional |
| 02.4 |
Draw up an appointment letter for the Deputy Information Officer |
02.4_Designation Letter Deputy Information Officer |
POPIA: Section 55(1), 55(2) PAIA: Section 17, 90(1), 90(2), 90(3) & 77K POPIA Regulation: R. 4 |
Optional |
| 02.5 | Develop, draw up and get signed an addendum to employee’s current service agreements |
02.5_Access and Confidentiality Agreement with Employees |
POPIA: Section 5 Regulation: | Mandatory |
| 02.6 |
Develop Letter to Employees Privacy Notification |
02.6_Letter to Employees Privacy Notification |
POPIA: Section 18
|
Recommended |
| 02.7 |
Develop POPIA Section 18 Privacy Notification – Employees |
02.7_POPIA Section 18 Privacy Notification – Employees |
POPIA: Section 18
|
Recommended |
| 02.8 | Do a personal information impact assessment to ensure that adequate measures and standards exist in order to |
02.8_Template Data Protection Impact Assessment.asd |
POPIA: Sections 8, 19 & 19(3)(g) Regulation: R. 4(1)(a) |
Recommended |
| comply with the conditions for the lawful processing of personal information | ||||
| Additional Resource |
12.1.4_Checklist Section 17 – Documentation of processing operations 12.2.4_Guideline Documentation Processing Operations |
|||
Data Subject Rights
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 03.0 |
03.0_Summary 03_Data Subject Rights Policies & Procedure |
|||
| 03.1 |
Create Procedure for Handling of Individual Rights |
03.1_Procedure for Handling of Individual Rights |
POPIA: Section 5 & 109(3)(g) Regulations: Regulation 4(1)(d) |
Mandatory |
| 03.2 |
Create Consent for Processing of Personal Information |
03.2_Consent to Process Personal Information Policy |
POPIA: Section 14(7) Regulations: Regulation 4(1)(d) |
Mandatory |
| 03.3 | Develop & implement privacy notification for clients |
03.3_POPI Section 18 Privacy Notification – Clients |
POPIA: Section 18 | Mandatory |
| 03.6 | Create Data Subject Request Register | 03.6_ Data Subject Request Register |
POPIA: Section 14(7) Regulations: Regulation 4(1)(d) |
Recommended |
| 03.7 | Create Forms and Procedure for Objection to the Processing of Personal Information |
03.7_Form 1 Objection to the Processing of Personal Information |
POPIA: Section 11(3) Regulations: Regulation 2 |
Mandatory |
| 03.8 |
Create Forms and Procedure Request for Correction or Deletion of Personal Information or Destroying or Deletion of Record of Personal Information |
03.8_Form 2 Request for Correction or Deletion of Personal Information or Destroying or Deletion of Record of Personal Information |
POPIA: Section 24(1) Regulations: Regulation 3 |
Mandatory |
| 03.9 |
Create Forms and Procedure Request for Access to Record of Private Body |
03.9_Form C Request for Access to Record of Private Body |
PAIA: Section 51(1)(b)(iv) & 51(1)(e) Regulations: Regulation 10 |
Mandatory |
|
03.10
|
Create Forms & Procedures for Withdrawal of Consent | 03.10_Withdrawal of Consent | POPIA: Section 11(2)(b)) | Recommended |
| Additional Resource |
12.1.5_Checklist Data Subject Rights Forms & Procedures 12.2.5_Guideline Data Subject Rights |
|||
Implement & Maintain Personal Information Inventory
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 04.1 | Read How to find computer hardware | 04.1_How to find computer hardware | Recommended | |
| 04.2 |
Create & Maintain Personal Information Assets Hardware |
04.2_Personal Information Assets Hardware |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 04.3 |
Create & Maintain Personal Information Assets Shared Databases |
04.3_Personal Information Assets Shared Databases |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 04.4 |
Create & Maintain Personal Information Assets Operating Systems and Software |
04.4_Personal Information Assets Operating Systems and Software |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| Additional Resource | 04.1_How to find computer hardware |
Create & Maintain Policies & Procedures
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 05.0 |
05.0_Summary Create & Maintain Policies & Procedures |
|||
| 05.1 |
Create & Implement Information Quality Policy |
05.1_ Information Quality Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.2 |
Create & Implement Minimum Access Policy |
05.2_Minimun Access Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.3 |
Create & Implement Password Management Policy |
05.3_Password Management Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.4 | Create & Implement Acceptable Use Policy of Computer Equipment |
05.4_ Acceptable Use Policy of Computer Equipment |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.5 | Create & Implement Social Media Policy | 05.5_Social Media Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.6 |
Create & Implement Bring your Own Device Policy |
05.6_Bring your Own Device Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.7 |
Create & Implement Clear Desk and Clear Screen Policy |
05.7_Clear Desk and Clear Screen Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.8 | Create & Implement Shred-it All Policy | 05.8_Shred-it All Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 05.10 |
Create & Implement Removable Media Policy |
05.10_Removable Media Policy |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| Additional Resource | 12.2.1_Guideline Cybersecurity Practices for Small Organisations | |||
Implement & Maintain Training & Awareness Program
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 06.0 |
06.0_Summary Implement & Maintain Training & Awareness Program |
|||
| 06.1 | Employee Training Log | 06.1_Employee Training Log |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.2 | Employee Training Programme | 06.2_Employee Training Programme |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.3 | Awareness Poster – Email Phishing | Awareness Poster – Email Phishing |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.4 |
Awareness Poster – Insider, Accidental or Intentional Data Loss |
Awareness Poster – Insider, Accidental or Intentional Data Loss |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.5 |
Awareness Poster – Loss or Theft of Equipment and Data |
Awareness Poster – Loss or Theft of Equipment and Data |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.6 | Awareness Poster – Make secure choices | Awareness Poster – Make secure choices |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.7 | Awareness Poster – What is my responsibility regarding e-mail security | Awareness Poster – What is my responsibility regarding e-mail security |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.8 | Awareness Poster – What is my responsibility regarding passwords | Awareness Poster – What is my responsibility regarding passwords |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.10 |
Awareness Poster – What is our client’s (data subject) rights |
Awareness Poster – What is our client’s (data subject) rights |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.11 | Awareness Poster – What is our legal basis for processing personal information | Awareness Poster – What is our legal basis for processing personal information |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.12 |
Awareness Poster – What is Personal Information |
Awareness Poster – What is Personal Information |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.13 | Awareness Poster – What to do when Using a Mobile Device |
Awareness Poster – What to do when Using a Mobile Device |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.14 | POPI Act Compliance Awareness Poster |
POPI Act Compliance Awareness Poster |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.15 | POPI Awareness1_An Overview Leadership |
POPI Awareness1_An Overview Leadership |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.16 | POPI Awareness2_An Overview All Staff |
POPI Awareness2_An Overview All Staff |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.17 | POPI Awareness3_Mobile Devices All Staff |
POPI Awareness3_Mobile Devices All Staff |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.18 | POPI Awareness3_Mobile Devices All Staff | POPI Awareness4_Security Measures in the Context of POPI – Leadership |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.19 |
POPI Awareness5_Collection of Personal Information in the Context of POPI – All Staff |
POPI Awareness5_Collection of Personal Information in the Context of POPI – All Staff |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.20 |
POPI Awareness6_Data Subject Rights – All Staff |
POPI Awareness6_Data Subject Rights – All Staff |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| 06.21 |
POPI Awareness7_Electronic Communications – All Staff |
POPI Awareness7_Electronic Communications – All Staff |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Recommended |
| Additional Resource | 12.1.2_Checklist_Staff Awareness Training | |||
Manage Information Security Risk during Communication & Transmission
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 07.0 |
07.0_Summary Manage Information Security Risk during Communication and Transmission |
|||
| 07.2 |
Create & implement Consent to Use Electronic Communication |
07.2_Consent to Use Electronic Communication |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 07.3 |
Create & implement Fax Cover Letter Confidentiality Notice and Disclaimer |
07.3_Fax Cover Letter Confidentiality Notice and Disclaimer |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| 07.4 | Create & implement Disclaimer Clauses for all Electronic Communications |
07.4_Disclaimer Clauses for all Electronic Communications |
POPIA: Section 8 & 109(3)(g) Regulations: R. 4(1)(d) |
Recommended |
| Additional Resource | 12.2.1_Guideline Cybersecurity Practices for Small Health Care Organisations | |||
Third Party - Operator - Compliance Management
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 08.0 |
08.0_Summary Managing Third Party Compliance |
|||
| 08.1 |
Create and maintain an Approved Vendors_Operator’s list |
08.1_ Approved Vendors_Operators |
POPIA: Section 20, 21 & 22 Regulations: R. 4(1)(d) |
Recommended |
| 08.2 |
Create and prepare a Cover Letter to send with Operator POPI Compliance Questionnaire |
08.2_Cover Letter Operator POPI Compliance Questionnaire |
POPIA: Section 20, 21 & 22 Regulations: R. 4(1)(d) |
Recommended |
| 08.3 |
Create and prepare an Operator POPI Compliance Questionnaire |
08.3_Operator POPI Compliance Questionnaire |
POPIA: Section 20, 21 & 22 Regulations: R. 4(1)(d) |
Mandated |
| 08.4 |
Check all third-party service provider agreements and if necessary implement this 08.5_ Data Protection Agreement for Operators |
08.5_ Data Protection Agreement for Operators |
POPIA: Section 20, 21 & 22 Regulations: R. 4(1)(d) |
Mandated |
| Additional Resource | 12.2.3_Guideline Understanding whether you are Processing Personal Information | |||
Managing Direct Marketing
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 09.1 |
Create and maintain Application for the Consent of a Data Subject for the Processing of Personal Information |
09.1_ Application for the Consent of a Data Subject for the Processing of Personal Information |
POPIA: Section 69(2) Regulations: Regulation 6 |
Mandatory for direct marketing |
| Additional Resource | 12.2.3_Guideline Understanding whether you are Processing Personal Information | |||
Implement & Maintain Security Incident Procedures
|
Activity No |
Activity | Template | Main POPIA Reference | Mandatory? |
| 10.0 |
10.0_Summary Implement & Maintain Security Incident Procedures |
|||
| 10.1 |
Create and maintain Data Breach Policy Security Compromise Policy |
10.1_Data Breach Policy Security Compromise Policy |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Mandatory |
| 10.2 |
Create and prepare 10.2_Data Breach Security Compromise Report Form |
10.2_Data Breach Security Compromise Report Form |
POPIA: Section 8 Regulations: R. 4(1)(e) |
Mandatory |
| Additional Resource |
Unsure whether this product is for you? Our toolkit is the most complete all in one toolkit applicable to all business and employees, contact us at marais@assentcompliance.co.za if you are unsure