Our POPI Implementation Offering

The Protection of Personal Information Act (POPI) sets guidelines as to how organisations must process, retain and distribute personal information. Our focus at Exact Consulting is on privacy and the protection of personal information (PPI) in the organisation as a whole, and with a team of both expert legal and technical advisers we ensure the timely implementation of a comprehensive privacy solution.

POPI stipulates that eight compliance conditions are required for the lawful processing of personal information:

1. Responsibility:

  • Organisational policies, responsibilities and roles have to be established and complied with;
  • All employees of an organisation are responsible in some way for conforming to the regulations of dealing with personal information;
  • The protection of data is a King III requirement, and POPI further brings South Africa in line with global best practices that enforce commitment to good corporate and data governance.

2. Transparency:

  • A data subject must be notified when his/her personal information is obtained or captured;
  • An organisation must declare the processing of personal information to the Regulator.

3. Purpose Requirement:

  • Personal information must be collected for a lawful, explicitly defined and specific purpose;
  • At all times must the data subject be informed regarding the purpose of said personal information data collection;
  • Further principles apply to the storage, retention and deletion of personal information.

4. Additional Processing:

  • Further processing of personal information must be aligned with the initial purpose of the data collection;
  • Functionality for notification and objection from the data subject must be available.

5. Information Quality:

  • Quality processes must be in place to maintain data value;
  • Reasonable processes must be in place to ensure collected/captured information is available, accurate and up to date.

6. Restriction of Processing:

  • A defined boundary is established regarding the processing of personal information where processing should be lawful, rational and controlled. An organisation can’t claim ownership of any personal information;
  • Presenting the data subject with an “opt in” option simplifies the application;
  • The data subject must provide consent together with disclosure of a clear and understandable indication as to how the personal information will be used.

7. All-round Security:

  • Any personal information an organisation stores must be protected from unauthorised/unlawful access, unnecessary mutilation or deletion by implanting proven security tiers;
  • The organisation must ensure the reliability of personal information in all business spheres (both technically and operationally);
  • This extends to all parties that receive data from, or process data on behalf of the organisation.

8. Data Subject Involvement:

  • A data subject must be informed of his/her right to update or delete personal information from any of the organisation’s processes and/or systems;
  • The data subject may, at any time, request a validation from an organisation as to whether his/her personal information is held as well as requesting a description and reason for the retention of said personal information.


Exact Consulting’s proven implementation process: