What Do I Get From online PoPI?

onlinePoPI is here to help you understand the Protection of Personal Information Act and to ensure your entity is PoPI Compliant - with the goal of preventing misuse of Personal Information and mitigating potential prosecution.

The PoPI Act (Section 55 & Regulation 4) requires that a Compliance Framework is implemented and that a Personal Impact Assessment is done - onlinePoPI provides this.

Additionally the PoPI Act (Regulation 4) requires that the Information Officer conducts internal awareness and training around the Protection of Personal Information - the onlinePoPI tool and supplementary videos and articles will help the Information Officer accomplish this.

onlinePoPI will continuously be updated with new features, documents and amendments as there are changes to the PoPI Act, ensuring that you are always up to date with your PoPI Compliance goals.

Being PoPI Compliant is a continous process and onlinePoPI is here to help you on your journey.



onlinePoPI generates a comprehensive pack of customised and branded documents for your entity. 

These documents include:


PoPI Compliance Certificate

A Certificate showing the compliance status of your entity of the relevent 25 PoPI Act Sections.


Non-Compliance Gap Analysis Report

A report listing all the current Non Compliances for your entity. This gives you a plan of what to work on to become PoPI compliant.


Notes Report

A report keeping history of your notes


Data Mapping

Specify what and how Personal Information is stored, secured and processed.
Track Consent, Authorization and Approval.


Information Officer Declarations

Customised Information Officer Declarations around each of the relevent 25 PoPI Act sections reflecting your entities current position with each section.

  • Application of Act
  • Duties and Responsibilities of Information Officer
  • Rights of Data Subject
  • Lawful Processing and Minimality
  • Consent, Justification and Objection
  • Collection Directly From Data Subject
  • Collection For Specific Purpose
  • Retention and Restriction of Records
  • Further Processing Compatible with Purpose of Collection
  • Quality of Information
  • Documentation
  • Notification to Data Subject when Collecting Personal Information
  • Security Measures On Integrity and Confidentiality of Personal Information
  • Information Processed by Operator or Person Acting Under Authority
  • Security Measures Regarding Information Processed by Operator
  • Notification of Security Compromises
  • Access to Personal Information
  • Correction of Personal Information
  • Prohibition on Processing of Special Personal Information (Only "Race" available in Xpress)
  • Prohibition and Authorisation on Processing Personal Information of A Child (Not available in Xpress)
  • Processing Subject to Prior Authorisation
  • Direct Marketing by Means of Unsolicited Electronic Communications
  • Directories (Not available in Xpress)
  • Automated Decision-Making (Not available in Xpress)
  • Transfers of Personal Information Outside The Republic of South Africa (Not available in Xpress)



Required policies and notices your entity needs to be PoPI Compliant

  • Data Classification Policy
  • Record and Document Destruction Policy
  • Privacy Policy
  • Data Subject Consent And Withdrawal Policy
  • Document Retention Policy
  • PAIA Manual
  • Employee Privacy Notice
  • Customer Privacy Notice
  • Privacy Notice For Suppliers
  • Information Security Policy
  • Information Risk Policy (Not available in Xpress)
  • Security Incident Notification and Reporting Policy
  • Data Operator Policy
  • Service Level Agreement
  • Data Operator Agreement
  • Third Party Personal Information Processing Agreement
  • Data Breach Notification Policy
  • Access to Personal Information Policy
  • Special Personal Information Policy
  • Child Protection Policy (Not available in Xpress)
  • Credit Reporting Policy
  • Direct Marketing Policy
  • Personal Information Suppression Policy / Opt-Out Policy
  • Transborder Flow of Information Policy (Not available in Xpress)


Information Regulator Forms

Forms your entity needs to supply to its Data Subjects in order to be PoPI Compliant

  • Objection to the Processing of Personal Information
  • Request for Correction or Deletion of Personal Information
  • Application for the Consent of a Data Subject for the Processing of Personal Information for the Purpose of Direct Marketing
  • Complaint Regarding Interference with the Protection of Personal Information
  • Complaint Regarding Determination of Adjudicator
  • Data Subject Consent Form
  • Data Subject Consent Withdrawal Form
  • Objection To The Processing Of Personal Information
  • Request for Correction or Deletion of Personal Information
  • Application for the Consent of a Data Subject for the Processing of Personal Information for the Purpose of Direct Marketing
  • Consent to Store Personal Information Outside of the Republic of South Africa (Not available in Xpress)



Registers of what information your entity needs to keep track of in order to be PoPI Compliant

  • Data Subject Withdrawal Notification Register
  • Data Subject Register
  • Personal Information Register
  • Data Breach Notification Register