POPIA certification

 

GENERAL REQUIREMENTS

The formal certification programme includes:

  • a two-stage initial review
  • surveillance reviews in the first and second years, and
  • a recertification review in the third year prior to expiration of certification.

 

The determination of the certification programme and any subsequent adjustments will consider:

  • the size of the client organisation
  • the scope (target of evaluation)
  • products and processes
  • demonstrated level of effectiveness, and
  • the results of any previous audits.

 

GENERAL REQUIREMENTS

The certification programme will be based on the documented objective, scope and criteria.

The objective is:

  1. Evaluate compliance with POPIA and its regulations
  2. Evaluate compliance with contractual requirements, and / or
  3. Identification of areas for potential improvement.

 

DOCUMENTATION OF PROCESSING ACTIVITIES WITHIN SCOPE

The scope of certification (“Target of Evaluation” (ToE)) is a set of “processing activities”. It is up to the organisation that requires the certification to decide which processing activities are in scope. The first step towards the certification of processing activities will be preparing the documentation of the processing operations. (It is a requirement of the Protection of Personal Information Act that all processing operations are documented.)

 

TARGET OF EVALUATION

Level 1: The organisation Financial institution Financial institution
Level 2: Functional/organisational unit Compliance HR Department
Level 3: Business process / functional application AML / KYC (World check) Recruitment (SAP-HR)
Level 4: IT infrastructure components

Cloud solution

SAAS Unix servers – Oracle DB

Windows server farm

Oracle DB