A data protection compliance framework contains the common elements from multiple data protection regulatory requirements (laws, rules, codes and standards) that an organisation must comply with. Some people call this a privacy compliance framework or (in a South African context) a POPIA compliance framework. In this article, we look at why you need one, what it is, what it is not and how you go about putting one in place.

How a framework helps you

It helps you to comply with multiple regulatory requirements and enables you to demonstrate your compliance. For example, Regulators, business partners, customers and individuals need to see that you are protecting personal data if you want to secure their trust and confidence. You can do a gap analysis against it and auditors can audit your organisation’s compliance with its framework. With a good framework, auditors can perform quicker and more effective audits.

Your organisation can thrive and grow by enhancing your reputation and giving you a competitive edge.

What is a data protection compliance framework?

Whatever you call it, it contains the common elements from multiple data protection regulatory requirements (laws, rules, codes and standards) that an organisation must comply with. A framework can be divided into categories, pillars or workstreams. These are some typical examples people include.

  1. Leadership and oversight
  2. Policies and procedures
  3. Privacy by design and by default
  4. Training and awareness
  5. Individuals’ rights
  6. Transparency
  7. Records of processing and the lawful basis
  8. Contracts and data sharing
  9. Risks and data protection impact assessments (DPIAs)
  10. Records management and security
  11. Breach response and monitoring

Under each category are actions, checklists, measures or controls that an organisation must implement. The organisation must assign each action to a responsible person. A framework should not contain principles. Ideally, you want a good framework that is easy to follow, and helps you understand what actions you need to take, why you need to take them, and what risk areas they serve.

A framework is what turns principle based laws into actionable, auditable controls.

Compliance software or system

The framework can be a document or a website but more often than not, it is built into software or a system that enables you to:

  • create a framework that is relevant to your organisation, and
  • assess, track or monitor how your organisation is implementing the framework.

It is possible to do this manually using a spreadsheet or table but it is so much better to do it using software.

Examples of a privacy compliance framework

The best way to understand a compliance framework is to look at examples. Over the years different organisations have developed them. We provide various examples of both good and bad ones to the members of our data protection programme in the “having a compliance framework module“. If you are not a member but want to see examples, contact us for a software demo or a framework demo.

What is a POPIA compliance framework?

The simple answer is a framework that only looks at the POPIA compliance obligations. It is a framework (or responsibility framework) that is based on just one regulatory requirement – POPIA. In South Africa, the POPIA regulations require an information officer of a responsible party (or body) to “ensure that … a compliance framework is developed, implemented, monitored and maintained”. The regulator has given very limited guidance on what that actually is. In time, the regulator might produce one and publish it on their website. The regulator hasn’t published guidance that responsible parties can use. In November 2021, the regulator held a public webinar and at the time presented a slideshow on its view of a framework. At the time, the slide show noted the following:

  1. “A POPIA Compliance Framework governs personal information and provides a framework which forms the structure that provides a holistic overview of how an organisation creates and manages its enterprise-wide information assets (records, personal information and data).”
  2. “A compliance framework will support the fundamentals of an effective privacy management programme.”

This seems to align with what we have described above in relation to a framework generally but it still does not paint the clearest picture.

There are multiple POPIA compliance frameworks that various people (including Michalsons) have created.

How we can help you

  1. Find out what a framework is by joining our programme and reading our guidance and watching our webinars.
  2. Decide which framework to adopt by considering the options by joining our programme.
  3. Develop a POPIA compliance framework for your organisation by asking us to develop one for you.
  4. Implement and monitor (or track) the implementation of the framework by asking us to provide you with software, trackers, templates and other tools.

What a framework is not

A compliance framework is a specific thing and is different to other related things. Below is a list of what a compliance framework is not. Don’t get confused between them.

  • Programme – a compliance programme is a set of related activities that an organisation does (or measures that an organisation puts in place) with the long-term aim of complying with something (like laws, rules, codes or standards). The Michalsons data protection programme helps an organisation implement its own programme.
  • Toolkit – a toolkit contains tools (like templates or checklists) you can use to help your organisation comply.
  • Data protection standards, which can be one of the regulatory requirements that people incorporate into a compliance framework.
  • Code of conduct – a code is one of the regulatory requirements that people incorporate into a compliance framework.
  • Compliance manual – refers to many different things, but often people refer to a POPIA compliance manual or PAIA Manual. These are not compliance frameworks.
  • Compliance risk management plan (CRMP) – although there are some similarities, a CRMP for a specific regulatory requirement forms part of (and feeds into) a compliance framework and is often called an assessment. The framework is a collection of CRMPs.
  • Privacy management software, which can be used to manage, implement, track or monitor a framework.
  • Compliance policy or data protection policy, which records the strategic decisions of the governing body regards data protection.

You should have a framework for all compliance requirements

As we have explored above, a framework enables an organisation to operate lawfully which means every organisation should have a general framework. The POPIA compliance framework should slot into that bigger picture. Our IT Legal Framework is an example of a different kind of framework that looks at all IT regulatory requirements.