South Africa’s Protection of Personal Information Act (POPIA)

POPIA enhances the privacy rights of personal information processed within South Africa to the rights of the individual, and the POPIA principles are factored in and include:

  • Accountability
  • Purpose specification
  • Processing limitation
  • Information quality
  • Openness
  • Data subject participation
  • Personal impact assessments
  • Security Safeguards. Condition 7 apply through appropriate, reasonable, organisational and technical measures.

Security controls and industry best practices are essential for compliance with the POPI Act / POPIA. The security controls are also necessary for protecting your organisation against a broad range of information threats and vulnerabilities. Its simplistic form translates to applying Information Security Management Systems, standards or frameworks.

So, what are appropriate, reasonable, organisational and technical measures?

The appropriate and reasonable measures come down to identifying the personal information risks your organisation is exposed to and managing these risks, and how you define, mitigate, and manage these risks.

The most widely accepted Information Security Management Standard (ISMS) found explicitly in ISO27001 and ISO27701.

The Challenges Of POPIA

  • Privacy challenge – The GDPR, POPIA and other privacy regulations require organisations to implement measures to ensure technical and operational controls for securing data.

  • Security challenges – POPIA requires the confidentiality, integrity and accountability (CIA) of data, i.e. data secured. Each data set requires identifying where the data is and stored and who has access to the data.

  • Governance challenge – Implementing an ISMS or a PIMS to manage personal data, incident response procedures and data retention periods defined by the organisation.

  • Ongoing responsibility challenge – organisations have often underestimated the effort required to implement the necessary measures to satisfy POPIA. POPIA is an ongoing initiative, and at all times, your organisation must be able to demonstrate compliance as your business evolves.

The Benefits Of POPIA

  • Increase reliability and reputation – POPIA improves reputation with stakeholders and third parties.

  • Customer and third party confidence – stakeholders are confident the information and the systems protecting the privacy data adhere to industry best practice security controls.

  • Increase in organisation resilience – measures implemented can protect your organisation against cyber threats.

  • Improve data management – minimize the stored privacy data, and refine data management processes.

What needs to be assessed

Core focus areas for evaluation during the assessment:

Why choose Securicentrix for POPIA?

Securicentrix is a CREST-accredited and award-winning provider of penetration testing services. Our ethical hacking engagements, including network penetration testing and web application testing, help organisations to achieve PCI DSS pen test standards by identifying weaknesses that could enable card payment details to be compromised by criminal attackers. 

Our services

SecuriCentrix’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture. 


Expert security services and solutions tailored to your needs