POPIA certification criteria

The overall aim of certification is to give confidence to all parties that the certification target (e.g. process, service, or product) of an operator or responsible party fulfils the specified data protection requirements for certification. The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment by a third-party (e.g. POPIA Certification (Pty) Ltd).

Parties that have an interest in certification include, but are not limited to:

  1. responsible parties;
  2. customers of responsible parties whose products, processes or services are certified;
  3. operators (service providers and sub-contractors) of responsible parties;
  4. Information Regulator and other governmental authorities;
  5. non-governmental organisations;
  6. data subjects, consumers and other members of the public.

Interested parties can expect or require the responsible party to meet all the requirements (certification criteria) of the certification scheme.

Certification of products, processes or services is a means of providing assurance that they comply with specified requirements in standards and other normative documents. Some product, process or service certification schemes may include initial testing or inspection and assessment of its operators' data processing systems, followed by surveillance.

Certification criteria specify the data protection requirements (POPIA obligations) which must be met to satisfy the requirement for certification. These requirements will ensure certification in a competent, consistent and impartial manner. Certification criteria can be focused on specific processing, technologies and domains (e.g. cloud computing).