POPIA Data Protection Policy
Template — South Africa

Defines the Information Officer under section 55 (the head of the organisation), the registration process with the Information Regulator, the appointment of Deputy Information Officers under section 56, the establishment of a data protection committee, clear reporting lines to the board or executive management, the allocation of budget and resources for POPIA compliance, and the personal accountability framework for each role. Includes the Information Officer's statutory functions under section 55(1).

Operational implementation of POPIA's eight conditions: (1) Accountability — the organisation is responsible for compliance; (2) Processing limitation — personal information may only be processed with consent, for contractual necessity, legal obligation, legitimate interest, or other lawful basis under section 11; (3) Purpose specification — information must be collected for a specific, explicitly defined purpose; (4) Further processing limitation — processing for a new purpose must be compatible with the original; (5) Information quality — information must be complete, accurate, and up to date; (6) Openness — data subjects must be notified of processing; (7) Security safeguards — appropriate technical and organisational measures; (8) Data subject participation — individuals have the right to access and correct their information.

Templates and procedures for maintaining comprehensive registers of all processing activities as recommended by the Information Regulator's guidance. Each register entry records: the category of data subjects (employees, customers, suppliers), the types of personal information processed, the purpose of processing, the lawful basis, recipients of the information, cross-border transfers, security measures, and retention periods. The register serves as the foundation for the organisation's POPIA compliance evidence and supports the PAIA manual.

Framework for obtaining, recording, and managing data subject consent under section 11(1)(a). Requirements for valid consent (voluntary, specific, informed), the right to withdraw consent at any time under section 11(2)(b), age verification for children's information under section 35, and the management of consent records as evidence of lawful processing. Distinguishes between consent and other lawful bases (contractual necessity, legal obligation, legitimate interest) to prevent over-reliance on consent.

Procedures for receiving, verifying, and responding to data subject requests within prescribed timeframes: the right to be notified of processing (section 18), the right to access personal information (section 23), the right to correction or deletion (section 24), the right to object to processing (section 11(3)), and the right to object to direct marketing (section 69). Covers identity verification, response timelines, fee structures (aligned with PAIA), and the process for refusing requests with reasons.

Comprehensive incident response procedures: breach detection mechanisms (monitoring, alerts, employee reporting), internal escalation to the Information Officer within 24 hours, risk assessment (nature of the breach, information affected, potential consequences), mandatory notification to the Information Regulator under section 22 as soon as reasonably possible (within 72 hours per the Regulator's guidance), notification to affected data subjects, remediation measures, and post-breach review. Includes breach notification templates aligned with the Regulator's requirements.

Requirements for transferring personal information outside South Africa under section 72: the recipient country must have adequate data protection laws, or the transfer must be protected by binding corporate rules, contractual safeguards (data processing agreements with standard contractual clauses), the data subject's consent, or another section 72 exception. Covers cloud computing (where data may be stored on servers outside South Africa), third-party service providers in other jurisdictions, and the documentation required for each transfer mechanism.

Retention schedules for all categories of personal information, aligned with the purpose limitation condition (section 14) — information must be destroyed, deleted, or de-identified as soon as the purpose for which it was collected has been achieved. Specific retention periods for different data categories (employment records, financial records, marketing data, CCTV footage). Secure destruction methods for both physical records (shredding, incineration) and electronic records (secure deletion, degaussing, physical destruction of media).

Enhanced protections for special personal information under section 26 (religious or philosophical beliefs, race, ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, criminal behaviour) and children's personal information under section 35 (information of persons under 18). The specific lawful bases for processing special information under section 27, the requirement for competent person consent for children's information, and the enhanced security measures required for these data categories.

Integration of the section 51 PAIA manual as required by PAIA and cross-referenced by POPIA. The manual must describe: the organisation's contact details, the categories of records held, the categories of data subjects, how to request access to records, prescribed fees, and the availability of the manual on the organisation's website. The manual must be submitted to the Information Regulator and updated whenever the organisation's processing activities change materially.

Mandatory POPIA awareness training for all employees at induction and annually thereafter. Specialised training for employees who process personal information as a core function (HR, marketing, IT, finance, customer service). Training for the Information Officer and Deputies on their statutory responsibilities. Regular awareness campaigns. Documentation of training records as evidence for compliance demonstration during Information Regulator assessments.

Framework for managing "operators" — third parties who process personal information on behalf of the organisation under section 21. Requires written agreements (data processing agreements) establishing the operator's processing limitations, security obligations, breach notification duties, and audit rights. Due diligence on operators' POPIA compliance before engagement. Ongoing monitoring of operator compliance and the right to terminate the relationship for POPIA breaches.