POPI Compliance in a Practical and Effective Way

///POPI Compliance in a Practical and Effective Way
POPI Compliance in a Practical and Effective Way 2017-12-07T07:00:50+00:00

Do you need someone to help you with POPI compliance? Are you busy with a POPI Compliance project or POPI implementation project? We can help you to:

  • take practical effective action to protect personal information at the lowest cost, and
  • get business value out of those efforts.

We do this by following the Michalsons Four-Step Compliance Process. Our process is insightful, entrepreneurial, and will reduce your overall costs. We have a “faster to market” practical approach. We have developed an approach to compliance projects that is both rigorous and pragmatic. It is simpler and quicker than most others. We help you to achieve the most, at the least cost. The benefits of using Michalsons include:

  • Get expert practical legal advice, support, guidance, tools and templates
  • Fast track your efforts
  • Reduce your overall cost of compliance by using your resources as much as possible

POPI Compliance Process

Below is a description of the outcomes you want to achieve for each step in the process and how you achieve those outcomes. We can give you a fixed price quote for any step in the process, work on a time and materials basis or we can agree a retainer.

Awareness of the new regulatory requirements is the first step. We help you to:

  1. Know what POPI compliance is and how to do it practically and effectively, what the law might require your organisation to do, and what the timeline is by attending a public POPI Act Awareness Workshop or arranging a private in-house POPI Act Awareness Workshop or Executive Briefing. We can help you to appoint your Information Officer properly, including a job specification and letter of appointment.
  2. Know what you need to comply with by determining the overlap between the POPI Act and other data protection laws and the overlap between the POPI Act and other laws (like NCA, CPA, PAIA, and record retention laws). This will help you to find the overlap between your various compliance projects (like TCF or PCI) and work out if you can kill many birds with one stone.
  3. Assess the impact of POPI on your organisation by doing a POPI Impact Assessment.
  4. Understand your risk profile by doing a POPI risk assessment.
  5. Establish the business case, motivation or strategy for further action and get the governing body to approve a data protection compliance policy.

Planning is vitally important. You need to know who is going to do what, when. And what you are not going to do. We will help you Plan. Planning includes to:

  1. Identify the role players, like project sponsor and manager, and current information officer.
  2. Map your activities to establish the facts about your organisation that are relevant to POPI, identify the sections of POPI that are relevant to your activities, record how you are processing lawfully, determine the gaps where you are not processing lawfully, and identify implementation action items. Our POPI Mapper and POPI Activities Map template are key tools for doing this.
  3. Check whether your sharing of personal information with others (excluding operators) is lawful to find the gaps where you are not processing lawfully and identify implementation action items. Our POPI Sharing Map template is a key tool for doing this.
  4. Ensure there is a common interpretation of POPI in your organisation by running private workshops where we delve into particular issues relevant to your particular organisation to extract the areas you need to pay attention to or by getting us to provide you with an opinion on various issues, especially around cross-border data flow issues, cloud computing, legitimate interests, and the application of laws.
  5. Identify your  Compliance Action Items, including identifying some quick wins. Given limited resources and time, you need to follow a risk-based approach first to decide what you need to do and in what order. For each action item, you must determine how important it is, who is responsible for it, the resource that will actually do it, what it will cost, and what the deadline is. We have great tools to help you do this fast. Where possible, we will help you find the right external resource to help you implement. Our Compliance Action Items template is a key tool for doing this.
  6. Identify your roadmap. Our Project Status Report template is a key tool for doing this.

Planning involves doing various things, like discovering, researching, asking questions, drafting, analysing or workshopping. Planning often involves a private POPI Planning Workshop for a group of people from all functions of your organisation (or for a specific function). The planning workshop is based on the material of our POPI Act Awareness workshop, but we spend much more time on mapping activities and planning action items.

Actually implementing POPI is the most important step. The identified resource must take practical effective action to protect personal information. People within your organisation will have to do many of the action items. We can help you do some (not all) of the actions and other external resources will also help you do some. Doing includes to:

  1. Implement the quick wins.
  2. Do the other implementation action items in accordance with your roadmap.

If you are interested, we can tell you which action items we can assist with. We can also support you during the implementation phase, especially with the implementation of action items by other external resources. We can:

  • attend project meetings to provide practical guidance and insight,
  • answer questions that come out of meetings,
  • provide updates on significant developments.

Review (or audit) that the relevant resource has correctly implemented the action items, including to:

  1. Check they have been done correctly by asking Michalsons to review (or audit) that the relevant resource has correctly implemented the POPI Compliance Action Items that you identified in the Planning step.
  2. Set up structures and processes to ensure ongoing sustainable compliance.

How we can help you

We can help you to comply yourself, to comply with our guidance, or we can comply for you. Read more about these options and chose the right one for your organisation.

Why we will Deliver

  • We have a team of practical privacy and data protection lawyers.
  • We have deep knowledge and expertise helping organisations comply with POPI. We are independent professional legal advisors with expertise on how to implement POPI. Our advice is privileged and the regulator cannot seize it.
  • We have worked through our process with many clients by increasing their awareness of data protection laws across the organisation from the executives to the data capturers, planning their projects, and implementing their plans towards compliance.
  • We are currently working with many organisations, from dual listed multinationals to start-ups in various industries, including financial services, marketing, FMCG, oil, healthcare, retail, and mining.
  • We have successfully done many large projects on POPI, IT GRC, information security, and records management. We have also done many IT Legal Compliance Audits on many organisations.
  • We wrote the South African chapter for a Global Privacy Book.
  • We have made representations to the South African Law Commission for several clients on the Data Privacy Issue Paper published for comment in October 2003 and the Data Privacy Discussion Paper published for comment in October 2005 in response to the Protection of Personal Information Bill.

Our Role

Our role is similar to that of an architect when you build a house. We:

  1. make you aware of the practical implications,
  2. help you plan what needs to be done,
  3. do some of the work ourselves and check that others are doing their work, and
  4. review that everything has been done correctly.

Our Experience

  • We are currently helping many organisations with POPI compliance by following our compliance process.
  • We have advised a large variety of businesses, both domestic and international.
  • We have presented to well over 3,000 people on about 80 different occasions.


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.