What must my Company do to be POPI compliant?


POPI compliance is a process that requires time, the right tools, and the appropriate skillset. Gwirio is here to help you with 5 easy steps.


Step 1:  Accountability

  • Get buy-in and commitment to privacy from your management and;
  • Appoint an Information Officer and register them with the Information Regulator.

Step 2: Basic policies

  • Draft and publish a POPI Policy.  It demonstrates your commitment to privacy to your customers, staff and suppliers.
  • All companies must prepare and publish a PAIA handbook. This is a clear commitment to privacy and a useful tool to establish communication channels with your Data Subject.
  • Companies with less than 50 employees has exemption until 31st of December 2021 for the creation of their PAIA handbook.

Step 3:  Compliance framework

  • Gwirio provides a basic framework that will assist your Information Officer to conduct a review of information practices, procedures, and requirements.

Step 4:  Compliance actions

The compliance actions vary for each company, but it will require you to address:

  • Policies and procedure
  • Operator agreements
  • Data and consent management
  • Queries and complaints process

Step 5:  Track and Report

  • Monitor and report on your progress by using the compliance framework reports.

Step 3 – 5 will require a substantial amount of work from your Information Officer, but if you sign up on our platform, we will support you through the entire process


How can Gwirio help my company on its compliance journey?


Our online platform assists you in reviewing and tracking progress as well as act on compliance requests.  The system:

  • Enables you to review your organisation against a basic compliance framework and identifies areas that require your attention.
  • Provides for Information and Consent certification, including validation of information and certification by the Data Subject (Data Subject participation).
  • Timeously notifies your team of Data Subjects inquiries and requests. All communication is logged, managed, and reported on.
  • Provides you with a dashboard and reports that assist you in staying up to date with privacy requirements.
  • Documented proof of compliance and progress on journey.
What makes Gwirio different from other POPIA service providers?


Gwirio focuses on the compliance journey and focusses on helping you to move forward.  We provide you with a tool to track and maintain compliance measures and can demonstrate compliance.

Our data validation and consent management services are unique to the market.  The results are based upon the actual data held in your data store and the responses from Data Subject.  This way we drive Data Subject participation and proof of consent.


What does the Gwirio Compliance Framework cover?


Our Compliance Framework consists of a basic process to review your organisation’s compliance using a question-and-answer principal.

It includes questions around:

  • Accountability and responsibility in your organisation
  • Policies and procedures required for privacy compliance
  • Your Data and Risk management environment
  • Physical security fundamentals
  • IT Securty essentials
  • Training and awareness

It offers one of the three principal compliance reporting elements in the Gwirio compliance progress report. The second is based on the information in your data stores that drives certificates. The last is the response process regarding Data Subject communication.

What does the Data and Risk model cover?


The model considers each of the four major information groups and allows you to review the requirements for each group.  These information groups are:

  • Customer Information
  • Employee Information
  • Supplier Information
  • Stakeholder Information (Shareholders, partners, members)

With the Gwirio model we can assist you in reviewing your environment and compliance areas.

What is data certification?


It is process where Gwirio works with your information and communicate the data fields and the purpose for processing with the Data Subject.   It is written into a certificate specific to your organisation, the Data Subject, the allowed data, allowed actions and a time limit.

The certificate allows Gwirio to validate data points, verify information and prove your right to access the information. It also helps with the lifecycle management of data records and automates notifications for your internal controls.

The certificate is also a control point to track and manage communication between your organisation and the Data Subject, specific to their information. It allows the Data subject to query, request a process hold or log a complaint directly with you.