A Personal Information Impact Assessment (PIIA) under POPIA is a process that helps organisations understand and minimise the data protection risks of processing personal information. Under South Africa’s Protection of Personal Information Act, 4 of 2013 (POPIA), a PIIA supports the legal duty to process personal data in a way that respects privacy and complies with the law.

Much like a risk assessment in other contexts, a PIIA is designed to evaluate how new systems, projects, or processes will affect the privacy of individuals—and to identify measures that can mitigate those risks.

Why is a PIIA required?

Section 4(1)(b) of POPIA states that the responsible party must process personal information in a “lawful and reasonable manner that does not infringe the privacy of the data subject.” Furthermore, Condition 1 of POPIA (Accountability) places the obligation on responsible parties to ensure all processing complies with POPIA.

A PIIA is a practical tool for demonstrating compliance with several core POPIA conditions, including:

While POPIA does not explicitly use the term “impact assessment”, the Code of Conduct for Research (issued under POPIA) and guidance from the Information Regulator support the use of privacy impact assessments as good practice.

When should you conduct a PIIA?

You should conduct a PIIA before starting any new processing activity that is likely to pose a high risk to the privacy rights of individuals. Examples include:

  • Deploying surveillance or facial recognition tools
  • Launching a new customer management system
  • Rolling out biometric attendance tools
  • Sharing data with third-party vendors or cloud platforms
  • Using AI or algorithmic profiling to make decisions about people

How Do You Conduct a Personal Information Impact Assessment?

The assessment typically follows a structured process that includes the following steps:

1. Identify the need

Determine whether the processing activity involves sensitive or large volumes of personal information, or uses new technology that may pose a privacy risk.

2. Describe the processing

Set out what data will be collected, why, how it will be used, who will have access, and where it will be stored or transferred.

3. Assess lawfulness and necessity

Check whether the processing meets one of POPIA’s legal grounds and whether the purpose justifies the means of processing.

4. Identify risks

Analyse the potential impact on data subjects, including unauthorised access, misuse, data breaches, or discrimination.

5. Mitigate risks

Propose security measures, access controls, training, or policy changes to address the identified risks.

6. Document and review

Record the assessment and keep a copy for accountability. Review it periodically, especially when the processing changes.

 

Conducting personal information impact assessments under POPIA isn’t just a compliance checkbox—it’s a critical tool for protecting privacy, managing risk, and building trust with stakeholders. Embedding PIIAs into your project lifecycle will help ensure your data processing practices remain lawful, fair, and secure. Conducting a PIIA can be quite the task and will require some collaboration between the different teams engaged in the project lifecycle.

Actions to take:

  • Identify high-risk processing activities that may require a PIIA.
  • Develop or adopt a standard PIIA template for internal use – you can ask the Michalsons team to do this for you.
  • Train key staff (especially IT, legal, compliance, and data teams) on when and how to carry out a PIIA.
  • Integrate PIIAs into procurement and system design workflows.
  • Involve the Information Officer or Data Protection Officer early in project planning.
  • Document all assessments and keep them updated.
  • Be prepared to show the Information Regulator how risks were identified and addressed.