PoPI Readiness Assessment

Measure your organisation’s PoPI readiness

What is the purpose of this assessment?

This assessment provides specific questions which will guide your organisation through typical thinking in order to establish your level of readiness. Does your organisation even need to comply with PoPI Act? Each question is aimed at triggering the basic thought process of “what does this mean for us”. The outcome of the assessment should provide the insights to determine your next steps to PoPI compliance. Please note that this assessment is only the first step on your PoPI Act compliance journey and does not constitute a complete solution.

Who should complete this assessment?

The most suitable person to complete this assessment would be someone who is best informed about the processing of Personal Information in your organisation. This candidate should know where it is stored, how it is collected, how long you keep it and what you need it for, based on your business needs.


    1. Should your organisation comply with the PoPI Act?
    2. Is your Organisation the Responsible Party who decides how and why Personal Information is collected and/or used?
    3. Do you make use of the services of Operators/Outsourced Partners and ensure risk assessment and strong contractual controls?
    4. Does your organisation gather Personal Information directly from the data subject (customers, employees, third parties)?
    5. Are you domiciled in South Africa?
    6. Do you process Personal Information in South Africa?
    7. Are you sure that only the right people have access to the Personal Information your organisation collects and stores?
    8. Is your organisation transparent with all your data subjects regarding the processing of their Personal Information?
    9. Does your organisation ask for explicit consent to do direct marketing?
    10. Does your organisation have measures in place to protect the flow of information across borders?
    11. Is the Personal Information you process current and accurate?
    12. Does your organisation have steps to verify your customers' personal information and identity?
    13. Have you established mechanisms to log, track and monitor privacy incidents?
    14. Do you process only the minimum Personal Information required to conduct your business operations?
    15. Has your organisation agreed to comply with the PoPI Act?
    16. Do you process any of the following​ Special Personal Information of your customers, employees or third parties?

    17. Does your organisation have an Information Officer or at least a Deputy Information Officer?
    YesNoI'm not sure
    18. Which description best describes your organisation?

    19. Which option best describes how you would like to take it from here?

    20. I understand the consequences of not being compliant to the PoPI Act.

    Your Information

    First Name
    Last Name
    Email Address
    Phone Number
    Your role in your organisation