A compliance framework is a requirement of Section 4(1)(a) of the POPI Regulations 2018. It is the responsibility of the Information Officer to ensure that the compliance framework is developed, implemented, monitored and maintained.

A framework consists of everything you are going to need and implement in your organisation to ensure ongoing compliance. A compliance framework includes everything necessary to ensure compliance within the organisation, and includes appointing the right person, policies, procedures, controls, training, documents and templates, measures for ensuring compliance such as disciplinary sanction for non-compliance, and ongoing communication around the topic. The framework should be designed specifically to achieve the right outcomes, so it is advisable to start with the end in mind.

Your compliance program should be:

  1. Pro-active, not reactive
  2. Privacy must be the default position
  3. Security must be extended throughout the entire life-cycle of the data
  4. Practicable and efficient
  5. Allow you to identify whether it is working, or whether there are things falling through the cracks
  6. Visible and transparent, and applied throughout your organisation
  7. Properly recorded


Identify what is required to ensure compliance in your organisation. Include representatives from each part of the business, as these persons will be better placed to assist with risk identification, process design and implementation, and monitoring. Effective and efficient monitoring must be implemented and protecting personal information should become an inherent part of every staff member’s job description.

A high-level overview of this should be mapped out, so that you can properly plan your implementation. The purpose of the framework is to put into practice a holistic and interrelated set of technical and organisational measures to be understood and implemented in an integrated manner, that can be measured, and which achieve compliance.