South Africa's most experienced POPIA compliance assessor 

POPIA compliance framework

POPIA Certification

Certification is a process for demonstrating compliance with defined criteria. Certification benefits data subjects by providing greater transparency and accountability for the specified processing operations by responsible parties. Certification of operator compliance provides responsible parties with assurance that the operator is capable of fulfilling its statutory and contractual obligations.


POPIA Certification Criteria

Certification criteria depend on the area (e.g. health sector) and scope of certification (multiple or single processing operations). The criteria address, inter alia, the following compliance aspects in support of the assessment of the processing operation:

  • the legitimacy of processing personal information
  • the conditions for the lawful processing of personal information
  • the data subjects’ rights
  • the personal information impact assessments, pursuant to regulation 4(b)
  • the safeguards put in place to protect personal information
  • the obligation to notify data subjects of breaches.


Scope of the Certification

The scope for what is being certified (also known as “the object of certification” or “Target of Evaluation” (ToE)) is the set of “processing activities” to be assessed. It is up to the entity that will be certified to define the processing activities in scope. Entities can start with a limited scope and extend it over the years, they can focus on key processing activities – or those that are most relevant in regards to demonstrating compliance. An entity can select processing activities for which it acts as responsible party or as an operator.

Before assessing the processing operations, it has proved useful to distinguish between the four different levels of significant influencing factors (or components) for the evaluation of processing operations.

  • The first level is directed to the organisation of the responsible party or operator, e.g. a private or public body and its specific legal ecosystem.
  • The second level addresses the organisational circumstances and the purpose or purposes for which the processing operation is performed, e.g. the department and the people in charge of the operation. 
  • The third level is where the functional application is assessed and the purpose implemented.
  • The fourth level considers the entire IT infrastructure and the functions provided. This level includes operating systems, virtual systems, databases, authentication and authorization systems, routers and firewalls, storage systems such as SAN or NAS, an organisation's communication infrastructure or Internet access, as well as the technical measures which must be implemented.