Personal Information Impact Assessments: When And How To Conduct Them

With the Information Regulator increasingly requesting copies of Personal Information Impact Assessments ("PIIAs") from organisations as part of its compliance and enforcement activities, many organisations are finding themselves under heightened scrutiny. This article takes a look at the requirements should organisations not have a PIIA in place or what to do to ensure that existing documentation meets the requirements.

Compliance with data protection laws requires organisations to implement ongoing measures and align their internal practices with prescribed standards. A PIIA is a legally required document under many data protection lawsbut also serves a practical purpose in that it supports the organisation's objective to use information lawfully and to identify risk associated with the processing of the information.

Under the Protection of Personal Information Act ("POPIA") Regulations, the Information Officer is legally required to ensure that PIIAs are conducted. POPIA does not, however, prescribe what a PIIA must include or how it should be carried out. Nor is there any guidance from the Information Regulator at this stage regarding the type of information required for a legally sound PIIA.

What is a PIIA?

In the absence of detailed legislative requirements and regulatory guidance, we consider how comparable tools are implemented in other jurisdictions that have similar or more stringent data protection requirements than POPIA. Drawing on international approaches ensures compliance with POPIA and supports implementation of the law that aligns with international standards. From this, we consider that a PIIA enables organisations to understand what personal information is impacted by a contemplated processing activity, how that personal information will be handled and whether the proposed processing complies with POPIA. This means assessing how that processing activity measures up against the eight processing conditions (set out in Chapter 3 of POPIA), and other relevant provisions like direct marketing and cross-border transfers. Once these details are mapped out, the organization can identify privacy risks and record the measures to be implemented to minimise these privacy risks.

The contemplated processing should then only commence once a PIIA is completed and the risks identified have been mitigated as recorded. For example, if it had been recorded that the contemplated processing involves the services of a third party, a gap identified could be that there is no data processing (operator) contract in place with that third party. The processing would then only commence once a compliant contract has been concluded.

When do you need to conduct a PIIA?

Given the absence of specific legislative requirements and prescriptive guidance from the Information Regulator, organisations should develop their own practical approach to implementing this requirement. In our view, a proportionate and effective way to achieve compliance is through a two-tier framework: a baseline record of processing activities (ROPA or similar data mapping), supplemented by targeted PIIAs for new projects or processing activities. We discuss this in more detail below.

The baseline for a PIIA is a comprehensive, organisation-wide assessment that documents all existing processing activities across the business. We typically prepare this following a detailed gap analysis to identify an organisation's processing areas and touchpoints with personal information. The result is a consolidated ROPA that maps processing activities by business area, providing a clear foundation for ongoing compliance. Once this baseline is in place, day-to-day compliance becomes considerably more manageable.

The second tier involves targeted PIIAs for new projects and processing activities that involve the processing of personal information and where a potential risk has been identified during the ROPA. In our view, a PIIA should be considered where any of the following circumstances apply:

• the proposed processing is high-risk or includes processing special personal information, or involves high volumes of personal information and special personal information;
• the proposed processing involves automated decision‑making that produces legal or significant effects on individuals, including profiling individuals based on factors such as performance, creditworthiness, health, behaviour, or preferences;
• the proposed processing involves complex or wide data flows between multiple operators or responsible parties, or matching or combining personal information from multiple sources;
• the proposed processing involved linking or merging your organisation's personal information with that of third parties;
• the organisation wants to introduce new products, services, or systems;
• the organisation intends to use new or innovative technology, such as artificial intelligence, machine learning, data analytics, or similar technologies that will process personal information;
• the organisation intends to outsource functions or services;
• the processing of personal information is unavoidable or the data subject is unlikely to know about the processing, making it difficult for data subjects to opt out of or object to the processing (e.g. CCTV surveillance in public areas, highly covert investigations, information obtained from data brokers, location data collected from cell phones); or
• a data breach could jeopardise the health or safety of individuals (e.g. whistleblowing records).

This list is not exhaustive, and organisations should apply their judgement to identify other scenarios where a dedicated assessment would be prudent. The guiding principle, in our view, is that a PIIA is warranted whenever a proposed processing activity may introduce new or materially different privacy considerations (or where you are not certain, we suggest you do a simple PIIA to make sure).

How should a PIIA be conducted?

A PIIA is not a last‑minute legal or compliance checkbox to complete simply for record‑keeping purposes. A PIIA is most effective when completed at the beginning of a project or before significant changes to processing activities take place within the organisation. Although assessments can be carried out at later stages, doing so reduces their value and limits the organisation's ability to implement effective safeguards.

An effective PIIA, should address the following key issues:

• types of personal information affected;
• the source of the personal information;
• stakeholders and access;
• data flows;
• risk identification; and
• mitigation measures.

Who completes the PIIA?

Responsibility for PIIAs rests with the Information Officer, as POPIA places the obligation on this role to ensure that assessments are conducted. We consider that this can be read as a supervisory obligation: the Information Officer must ensure that PIIAs are completed but need not prepare them personally. In practice, preparing an effective PIIA requires input from across the organisation – including business unit heads, IT, human resources, marketing, and any other departments involved in the day-to-day processing activity under assessment. External advisers, such as legal counsel with data protection expertise, can also play a valuable role in ensuring that PIIAs are thorough, legally compliant, and practically useful.

Same same, but different

In addition to PIIAs, organisations should be aware of related assessment tools that can complement or be integrated into the PIIA process. Two notable examples are third party checklists and transborder impact assessments.

• Third party checklists are used when an organisation engages an external service provider (referred to as an "operator" under POPIA) to process personal information on its behalf. A third-party checklist functions as a focused, preliminary assessment - effectively a "mini PIIA" - that examines the third party's security measures, data handling practices, and contractual commitments. The outcome of this checklist determines whether a full top-up PIIA is required. In many cases, the third party may simply be assisting with processing activities that are already documented in the ROPA, in which case a standalone checklist confirming adequate safeguards may suffice. However, where the third-party engagement introduces new processing activities, new categories of personal information, or materially different risk considerations, a more comprehensive top-up PIIA may be warranted.
• Transborder impact assessments address the specific risks associated with transferring personal information outside the borders of South Africa. POPIA imposes conditions on cross-border transfers, requiring organisations to ensure that the recipient country or organisation provides an adequate level of protection, or that an exemption applies. A transborder impact assessment evaluates the destination country's data protection framework, the nature of the personal information being transferred, the purpose of the transfer, and the safeguards in place to protect the information. Where a proposed processing activity involves cross-border data flows, the transborder impact assessment can either be conducted as a separate exercise or folded into the relevant PIIA as an additional layer of analysis.

Keeping the PIIA current

A PIIA should be treated as a living document. Organisational structures, technologies and processing activities evolve over time, and the assessment must reflect these changes. Incorporating regular reviews, checkpoints and updates as part of conducting PIIAs ensures that the PIIA remains accurate and reflects the current processing activities within the organisation.

If you require support in developing PIIAs, integrating them into project lifecycles, or understanding where to begin in implementing them, our team can assist. We offer practical insights, templates, training, and hands‑on support tailored solutions to ensure that the processing of personal information by your organisation complies with data protection laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.