Personal Information Impact Assessments (PIIA) are used to investigate, recognize, and mitigate potential risks to data when

  • implementing a new POPI compliance framework
  • changing processes
  • introducing new processes
  • changing technology
  • introducing new technology
  • changing the type and classification of information which is processed
  • appointing or being appointed as an operator
  • before launching a new project

or in any other instance where a risk assessment is required because of new or changed risks to information security, confidentiality or integrity.

As a matter of good practice, a PPIA should be continuously reviewed and regularly re-assessed.


The Information officer is responsible for ensuring that a personal information impact assessment is done so that adequate measures and standards are implemented in order to comply with the conditions for the lawful processing of personal information.


By performing a PIIA you will be able to:

  • Identify information which is at risk
  • Identify and understand data protection risks
  • Assess the lawfulness of processing
  • Assess the proportionality of processing
  • Assess whether data subject rights are being upheld
  • Assessing data quality
  • Assess whether processing and further processing is happening as permitted
  • Assess the possibility of the risks happening as well as the potential impact if they do
  • Calculate methods to decrease or eliminate those risks
  • Decide if the benefits of the change, outsourcing or project outweigh data protection risks
  • Implement required risk mitigation and protective measures
  • Assess whether risk mitigation is effective
  • Prepare an informed statement that will disclose the risks to any affected person
  • Document data protection measures to demonstrate compliance to the Information Regulator
  • Identify opportunities to incorporate “Data Privacy by Design”
  • Approve and record outcomes


A PIIA is required in order to identify the risks to personal information, data subjects and the organisation and create a compliance framework to address these risks. Instances where a PIIA may be required includes:

  • Where data is processed and there has not been any impact assessment completed
  • A systematic monitoring of an area on a large

Example: Using a security camera placed on a business premises to record and monitor behaviour and identify criminal activity.

  • Processing special categories of data (sexual orientation, race, religion, etc.) or children’s

Example: An employment application that collects racial information or criminal history from persons who wish to apply for a job.

  • Data concerning vulnerable data subjects that may be unable to provide valid

Example: Processing the data of children or mentally ill individuals.

  • Innovative technological or organisational

Example: Software that provides user access based on fingerprints or face recognition.

  • Processing data which is highly sensitive and where a breach may lead to criminal prosecution

Example: Processing bank account information of suppliers, customers or staff.

  • Evaluation or scoring of individuals, including profiling and

Example: An internet technology that monitors user behaviour and uses that information to build marketing profiles.

  • Automated decision-making with legal or otherwise significant effect on the lives of individuals.

Example: A computer program that uses the behavioural history of staff to automatically determine if they will qualify for an increase.

  • An evaluation of consumer information in which decisions are made based upon automatic processing and

Example: A technology that uses a person’s financial history to automatically determine whether or not that person is eligible for a loan.


Conducting a PIIA provides a number of benefits. This includes:

  • Ensuring and demonstrating that your organisation complies with POPI and avoids sanction
  • Ensuring your users, suppliers, customers etc. are not at risk of their data protection rights being violated
  • Reducing operation costs by optimising information flows
  • Eliminating unnecessary data collection and processing
  • Ensuring information is accessible, reliable and confidential


Assessments should be conducted in a methodical and organised way and be fully documented. The assessment scope should be clear, identifying the process or function under review, as well as the information.

All risks to the information must be identified, and this applies to the information at rest and in transit.

Once risks have been identified, these should be assessed in terms of probability and impact and a risk score obtained. This risk assessment should be done on the basis of “inherent risk”, in other words, the risk without taking account of any controls or mitigation you have in place.

Once the inherent risk is calculated, the existing mitigation and risk management controls in the organisation should be identified. Existing controls should be assessed to see whether these are sufficient to effectively mitigate the risk. The risk that remains subsequent to the implementation of controls is the “residual risk”.

Where the existing controls reduce the residual risk to an acceptable level, no further action may be required, but where the risk is not effectively mitigated, action is needed.

Ways of addressing the risk should be identified and then evaluated, in order to find an appropriate solution. Considerations and recommendations should be made in respect of the residual risks and proposed treatment, such as whether a proposed change or project is worthwhile considering the risk, or whether risk treatment is viable.

Where risk treatment is anticipated or proposed, the effectiveness should be tested to ensure that the risk is adequately managed.

Where this is not possible, a decision will have to be made about the area under risk, and what the best course of action will be.