Every organisation should have good protection of personal information (POPI) policies, procedures and practices. Some people refer to standards, but this is not the term used in POPI. Standards are often included in codes of conduct, rather than policies. Some people call it a Data Privacy Policy. This is not an internal employee Privacy Policy, which deals with how you process the personal information of your employees.

Protection of personal information policies, procedures and practices should regulate the way in which employees (and maybe operators) process personal information with the aim of protecting it. The policy must dovetail with your organisation’s other policies and policy framework. Often a POPI Policy is part of an Acceptable Use of IT Policy.

The target audience should be all employees who process personal information, but especially managers. And maybe operators.

Why are they important?

It is an important part of complying with POPI. If the Information Regulator decides to fine you, it must consider whether you failed to operate good protection of personal information policies, procedures and practices. The fine could be up to R10 million. If you want to reduce a possible fine you might get, you need to operate good protection of personal information policies, procedures and practices.

What should be in them?

The often have some general procedures. And then deal with some specific areas, like:

  • Paper Records
  • Retaining personal information
  • Email and Personal Productivity Software
  • Remote Access
  • Laptops and Other Mobile Storage Devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
  • Using wireless networks
  • Data transfers and encryption
  • Posting of paper documents
  • Appropriate Access and Audit Trail Monitoring
  • Disposal of paper and media
  • Incident Response

Characteristics of good ones

They should be:

  • short and to the point
  • in plain and understandable language
  • well structured
  • consistent
  • in accordance with and inline with the latest laws and rules
  • clear on what is permitted and what is not
  • specific, relevant and applicable to the target audience

We can help you to formulate, draft or revise your protection of personal information policies, procedures, and practises.


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.