POPIA Readiness Checklist: 20 Questions Every CIO Should Be Able to Answer
POPIA compliance is not a once-off project — it's an ongoing operational posture. Use this checklist to identify gaps before the Information Regulator does.
How Ready Is Your Organisation, Really?
POPIA has been fully enforceable since 1 July 2021. Yet most South African organisations still treat compliance as a tick-box exercise — a policy document here, a privacy notice there — rather than an operational posture that holds up under scrutiny.
The Information Regulator's investigations are becoming more targeted. Complaints are rising. The question is no longer whether enforcement will reach your sector, but whether your organisation can demonstrate meaningful compliance when it does.
This checklist gives CIOs, compliance officers, and IT leaders 20 diagnostic questions that go beyond the surface. Work through them honestly. The gaps you find are your roadmap.
Section 1: Accountability and Governance
1. Have you appointed a registered Information Officer? Every responsible party must appoint an Information Officer and register them with the Information Regulator. This is not optional. If your organisation processes personal information and your IO is not registered, you are in breach of POPIA's Condition 1 before anything else is assessed.
2. Does your Information Officer have documented authority and a budget? An IO who exists only on paper cannot discharge their obligations. Verify that the IO has a written mandate, access to legal counsel, and an operational budget for compliance activities.
3. Do you have a current PAIA Manual that has been submitted? The Promotion of Access to Information Act (PAIA) manual must be updated and the Information Regulator notified. Many organisations drafted a manual during the grace period and have not reviewed it since. POPIA incorporates PAIA obligations — they are not separate programmes.
4. Can you demonstrate that your Board has been briefed on POPIA obligations? Condition 1 of POPIA requires the responsible party to take responsibility for compliance. This is a Board-level obligation. If the Board has never received a formal POPIA briefing, accountability is not properly assigned.
Section 2: Data Inventory and Mapping
5. Do you have a complete record of all personal information your organisation processes? You cannot protect data you do not know you have. A data inventory (sometimes called a Record of Processing Activities or ROPA) should document what personal information is collected, where it is stored, who can access it, and for how long it is retained.
6. Can you identify every third party that receives personal information from your organisation? Operators (third parties who process data on your behalf) must be governed by written contracts that include POPIA-aligned data processing clauses. If you cannot list your operators, you cannot confirm these agreements are in place.
7. Do you know where personal information flows across your network and into cloud services? Shadow IT and unmanaged SaaS adoption mean personal information often flows to cloud services that were never formally assessed. A data flow mapping exercise — even a lightweight one — is essential to understanding exposure.
8. Have you classified your data by sensitivity and applied appropriate controls? Not all personal information carries the same risk. Special personal information (health data, biometrics, religious beliefs, criminal history) requires heightened protection under POPIA's Condition 6. Do you know which of your systems hold special personal information?
Section 3: Processing Lawfulness and Purpose Limitation
9. For each category of personal information you process, can you identify the lawful basis? POPIA's Condition 2 requires that processing is lawful and that the responsible party can identify why they are entitled to process each category of data. The bases include consent, contract performance, legal obligation, legitimate interest, and a few others. Consent is often misused as a catch-all when a more appropriate basis exists.
10. Do your data subjects know what their information is used for, and does actual use match what they were told? This is the purpose limitation test. If your privacy policy says you collect email addresses for account management but your marketing team also uses those addresses for campaigns, you have a purpose limitation problem.
11. Do you have a mechanism to record and prove consent where consent is your lawful basis? Consent must be freely given, specific, informed, and unambiguous. Consent collected via pre-ticked boxes, bundled with T&Cs, or without a genuine opt-out option does not meet POPIA's standard.
Section 4: Data Subject Rights
12. Do you have a documented process for responding to access requests within 30 days? Data subjects have the right to request access to their personal information. Your organisation must be able to receive, verify, and respond to these requests. If there is no process — no designated recipient, no response template, no tracking mechanism — you are not operationally compliant.
13. Can you action a deletion or correction request within a reasonable timeframe? Data subjects can request deletion (where retention is no longer justified) and correction of inaccurate information. The key question is whether these requests can actually be actioned — which requires knowing where the data lives.
14. Do you have a mechanism for data subjects to object to direct marketing? POPIA's Section 69 prohibits unsolicited electronic marketing without opt-in consent. Your marketing systems must be able to honour opt-out requests and maintain suppression lists.
Section 5: Security Safeguards
15. Do you have documented technical and organisational security measures for personal information? Condition 7 of POPIA requires appropriate security safeguards. "Appropriate" is contextual — it depends on the sensitivity of the data and the nature of the threat. A written Information Security Policy that references POPIA is the baseline.
16. Are personal information systems included in your vulnerability management and patching programme? Unpatched systems holding personal information are among the most common sources of reportable breaches. If your patch management programme does not specifically flag systems with personal information as higher priority, there is a gap.
17. Do you encrypt personal information in transit and at rest? Encryption is not explicitly required by POPIA, but it is the most defensible technical control under Condition 7's "appropriate safeguards" standard. If you suffer a breach and personal information was unencrypted, the absence of encryption will be noted in any regulatory investigation.
18. Have you assessed third-party operator security controls? Operators must provide "sufficient guarantees" regarding their security measures. Have you reviewed the security certifications (ISO 27001, SOC 2) or conducted your own assessments of the operators who hold your data? A supplier questionnaire is the minimum starting point.
Section 6: Breach Response
19. Do you have a documented breach notification procedure with assigned roles? POPIA Section 22 requires notification to the Information Regulator and affected data subjects if a breach is reasonably likely to cause harm. Your procedure should define what constitutes a reportable breach, who makes the notification decision, what the notification must include, and the 72-hour clock management process (aligned with best practice, though POPIA says "as soon as reasonably possible").
20. Have you tested your breach response procedure in the last 12 months? A procedure that has never been exercised is a procedure that will fail under pressure. A tabletop exercise — walking a simulated breach through the notification procedure — takes half a day and surfaces gaps that paper reviews miss.
Scoring Your Readiness
Work through the 20 questions and mark each as Yes, Partial, or No:
| Score | What it means |
|---|---|
| 18–20 Yes | Strong baseline — focus on evidence and continuous improvement |
| 14–17 Yes | Functional posture — address Partials before an incident |
| 10–13 Yes | Material gaps — prioritise Sections 1, 5, and 6 immediately |
| Below 10 Yes | High regulatory risk — seek external assistance |
Be honest about "Partial" answers. A process that exists on paper but has never been tested, a consent mechanism that pre-dates POPIA, or a third-party contract that lacks data processing clauses all count as Partial at best.
What to Do With the Gaps
Gaps in Sections 1 and 2 (governance and inventory) should be addressed first — everything else depends on knowing what you have and who is accountable. Gaps in Section 6 (breach response) create immediate regulatory exposure and should be remediated urgently.
Gaps in Sections 3, 4, and 5 are often systemic — they reflect how the organisation was built rather than isolated oversights. These require a structured remediation programme, not just policy updates.
FAQ
How long does a POPIA gap assessment take?
A structured gap assessment for an SME typically takes two to four weeks, including interviews, documentation review, and system walkthroughs. Larger organisations with complex data estates take longer. The assessment output is a prioritised remediation plan, not just a gap list.
We haven't received any complaints. Does that mean we're compliant?
No. The absence of complaints does not indicate compliance — it indicates that no data subject has yet chosen to complain, or that a breach has not yet been detected. The Information Regulator can investigate on its own initiative.
Is a POPIA compliance certificate available?
There is no official POPIA certification issued by the Information Regulator. Organisations can seek ISO 27701 (Privacy Information Management System) certification, which demonstrates a structured privacy management programme and aligns with POPIA's requirements.
Our organisation is small. Does POPIA still apply?
Yes. POPIA applies to any organisation that processes the personal information of South African residents, regardless of size. There is no SME exemption. The practical difference is that smaller organisations typically have simpler data estates and can achieve compliance with less effort.
What happens if we fail a regulatory investigation?
The Information Regulator can issue enforcement notices requiring remediation, impose administrative fines of up to R10 million, and refer matters to the National Prosecuting Authority for criminal prosecution. More immediately, investigations are public, and the reputational consequences of a finding can be significant.
Next Step
If this checklist has surfaced gaps you want to address, our free POPIA readiness assessment takes approximately 15 minutes and produces a prioritised report you can take directly into a remediation planning session. No obligation.