Governance requirements and responsibilities can be found in a number of different pieces of legislation and codes, including King IV and the Companies Act. In terms of POPI, compliance with, and accountability for data protection legislation rests with the Governing body and senior management of organisations. This is the POPI “accountability” provision.

While there is a general duty on any company to adequately protect its business information, King IV also expressly places ICT governance responsibility for with the board and senior management delegated by the board to manage and secure information.

This means the Board of Directors of a Company, Members of a Close Corporation, partners in a Partnership, Trustees in a Trust, and Sole Proprietors must assume ultimate accountability for ensuring that the provisions of POPI are met and that the organisation achieves the required outcomes.

It is therefore important that every Director, Member, Trustee, Partner and Sole Proprietor is aware of what POPI and other applicable data protection regulation, how this applies to the business, what personal information is, what is required when processing personal information and what your ongoing duties and responsibilities are.

The governing body must provide effective, collective oversight of the organisation’s activities in respect of strategic direction and annual planning. Governance means ensuring that you actively manage the requirements and ensure these are implemented in the organisation. This starts with ensuring the right culture. This is setting the “tone from the top” and should be clear, ongoing, regularly communicated and enforced.

Management and tasks may be delegated, however accountability will always rest with the governing body. This is irrespective of whether these persons appoint someone in the organisation to take responsibility for compliance with data protection.

With the introduction of data protection regulation, it is furthermore important to include ensuring compliance with the requirements into the strategic planning of the organisation as well as in the budgeting process.


KING IV Principle 13

 The governing body should govern compliance with applicable laws and adopted, non-binding rules, codes and standards in a way that supports the organisation being ethical and a good corporate citizen.

KING IV Principle 12

 The Governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives.

Companies Act

Board, directors and prescribed officers

(1) The business and affairs of a company must be managed by or under the direction of its board, which has the authority to exercise all of the powers and perform any of the functions of the company, except to the extent that this Act or the company’s Memorandum of Incorporation provides otherwise. Failure to properly understand duties and responsibilities and properly exercise a fiduciary responsibility can lead to the personal liability of a Director.

Companies Act S76. Standards of Directors conduct

 In this section, “director” includes an alternate director, and-

    • a prescribed officer; or
    • a person who is a member of a committee of a board of a company, or of the audit committee of a company,
  • Subject to subsections (4) and (5), a director of a company, when acting in that capacity, must exercise the powers and perform the functions of director-
    • in good faith and for a proper purpose;
    • in the best interests of the company; and
    • with the degree of care, skill and diligence that may reasonably be expected of a person –
      • carrying out the same functions in relation to the company as those carried out by that director; and
      • having the general knowledge, skill and experience of that
  • In respect of any particular matter arising in the exercise of the powers or the performance of the functions of director, a particular director of a company-
    • will have satisfied the obligations of subsection (3)(b) and (c) if-
      • the director has taken reasonably diligent steps to become informed about the matter;
  1. Liability of directors and prescribed officers

 In this section, “director” includes an alternate director, and-

    • a prescribed officer; or
    • a person who is a member of a committee of a board of a company, or of the audit committee of a company,

irrespective of whether or not the person is also a member of the company’s board.

  • A director of a company may be held liable-
    • in accordance with the principles of the common law relating to breach of a fiduciary duty, for any loss, damages or costs sustained by the company as a consequence of any breach by the director of a duty contemplated in section 75, 76(2) or 76(3)(a) or (b);

POPI Condition 1 Accountability

  1. Responsible party to ensure conditions for lawful processing

The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself