📋
§8–11
Accountability
Information Officer designation, PAIA manual, compliance framework, data inventory and PIAs per §8–11.
Q1 · Condition 1
An Information Officer has been designated and registered with the SA Information Regulator.
Q2 · Condition 1
The PAIA manual has been published and is current.
Q3 · Condition 1
A POPIA compliance framework and policies are documented.
Q4 · Condition 1
A data inventory and mapping exercise has been completed.
Q5 · Condition 1
Privacy Impact Assessments (PIAs) are conducted for new processing activities.
⚖️
§12–25
Processing Conditions
Lawful basis, purpose limitation, data minimisation, retention schedules and special PI safeguards per §12–25.
Q1 · Condition 2
A lawful basis is documented for every processing activity.
Q2 · Condition 2
Purpose limitation is applied — data is not processed beyond the stated purpose.
Q3 · Condition 2
Data minimisation is enforced — only necessary personal information is collected.
Q4 · Condition 2
Retention and disposal schedules are defined and enforced for all PI categories.
Q5 · Condition 2
Special personal information (health, race, criminal records) has extra safeguards.
👤
§23–25
Data Subject Rights
Access requests, correction, deletion, objections, automated decisions and DSR audit trails per §23–25.
Q1 · Condition 3
An access request process exists with a 30-day SLA.
Q2 · Condition 3
Correction and deletion of personal information is handled within prescribed timeframes.
Q3 · Condition 3
Objections to processing are formally assessed and responded to.
Q4 · Condition 3
Automated decision-making is disclosed to data subjects per §71.
Q5 · Condition 3
DSR requests are tracked with an audit trail.
🛡️
§19–22
Security Safeguards
Technical and organisational security measures, operator contracts, staff training and access controls per §19–22.
Q1 · Condition 4
Technical and organisational security measures protect personal information per §19.
Q2 · Condition 4
Operators are governed by written contracts with security requirements per §20–21.
Q3 · Condition 4
POPIA awareness training is conducted for all staff with access to PI.
Q4 · Condition 4
Physical and access controls restrict PI to authorised staff.
Q5 · Condition 4
Security controls are reviewed and updated regularly.
📢
§22
Breach Notification
Breach response procedures, detection, regulator notification, data subject notification and post-breach review per §22.
Q1 · Condition 5
A breach response procedure is documented per §22.
Q2 · Condition 5
A breach detection and assessment process exists.
Q3 · Condition 5
A process to notify the Information Regulator is in place.
Q4 · Condition 5
Affected data subjects are notified when their rights are materially impacted.
Q5 · Condition 5
Post-breach reviews feed improvements back into security controls.