• POPIA contains explicit provisions about documenting your processing operations.
  • You must maintain records on several things such as processing purposes, data sharing and retention.
  • You may be required to make the records available to the Information Regulator and data subjects on request.
  • Documentation can help you comply with other aspects of the POPIA and improve your data governance.
  • Responsible parties and operators both have documentation obligations.
  • Information audits, data flow analysis or data mapping exercises can feed into the documentation of your processing operations.
  • Records must be kept in writing.
  • Most organisations will benefit from maintaining their records electronically.
  • Records must be kept up to date and reflect your current processing operations.
  • We have produced a system and templates to help you document your processing operations.



Documentation of processing activities – requirements 

☐ If we are a responsible party for the personal information we process, we document all the applicable information under Section 17 of POPIA.

☐ If we are an operator for the personal information we process, we document all the applicable information under Section 17 of POPIA.

If we process special category or criminal conviction and offence information, we document:

☐ the condition for processing;

☐ the lawful basis for our processing; and

☐ whether we retain and erase the personal data in accordance with our policy document.

☐ We document our processing activities in writing.

☐ We document our processing activities in a granular way with meaningful links between the different pieces of information.

☐ We conduct regular reviews of the personal data we process and update our documentation accordingly.


Documentation of processing activities – best practice

When preparing to document our processing operations we:

☐ do information audits, data flow analysis or data mapping exercises to find out what personal information our organisation holds;

☐ distribute questionnaires and talk to staff across the organisation to get a more complete picture of our processing operations; and

☐ review our processing diagrams, system documentation, policies, procedures, contracts and agreements to address areas such as retention, security and data sharing.

As part of our record of processing operations we document, or link to documentation, on:

☐ information required for privacy notices;

☐ records of consent;

☐ responsible party-operator contracts;

☐ the location of personal information;

☐ personal information impact assessment reports; and

☐ records of personal information interference and security breaches.

☐ We document our processing operations in electronic form (not using Excel) so we can add, remove and amend information easily. (Use the 'Contact Us' form above to request information.)



What’s needed under POPIA?

  • The documentation of processing activities is an important requirement under POPIA.
  • You need to make sure that you have in place a record of your processing operations by 1 July 2021.

What is documentation?

  • All organisations are required to maintain a record of their processing operations, covering areas such as processing purposes, data sharing and retention; this is called documentation.
  • Documenting your processing operations is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of POPIA and assist data subjects submit their objection.

Who needs to document their processing activities?

  • Responsible parties and operators each have their own documentation obligations.
  • There is no exemption for small and medium-sized organisations, however we have a simplified approach. 

What do we need to document under Section 17 of POPIA?

You must document the following information:

  • The name and contact details of your organisation's responsible parties (and where applicable, of other joint responsible parties, and your information officer).
  • The purposes of your processing.
  • A description of the categories of individuals and categories of personal data.
  • The categories of recipients of personal data.
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place.
  • Retention schedules.
  • A description of your technical and organisational security measures.

Should we document anything else?

As part of your record of processing operations, it can be useful to document (or link to documentation of) other aspects of your compliance with POPIA and PAIA. Such documentation may include:

  • information required for privacy notices, such as:
    • the lawful basis for the processing
    • the legitimate interests for the processing
    • data subjects’ rights
    • the existence of automated decision-making, including profiling
    • the source of the personal information;
  • records of consent;
  • responsible party-operator contracts;
  • the location of personal information;
  • personal information impact assessment reports;
  • records of personal information interference and security breaches;
  • information required for processing special category information or criminal conviction and offence information, covering:
    • the condition for processing;
    • the lawful basis for the processing; and
    • your retention and erasure policy document.

How do we document our processing operations?

  • Doing an information audit, data flow analysis or data mapping exercise can help you find out what personal information your organisation holds and where it is.
  • You can find out why personal information is used, who it is shared with and how long it is kept by distributing questionnaires to relevant areas of your organisation, meeting directly with key business functions, and reviewing diagrams, policies, procedures, contracts and agreements.
  • When documenting your findings, the records you keep must be in writing, you will benefit from maintaining the records electronically.
  • The information must be documented in a granular and meaningful way.
  • We have developed a POPIA documentation system and templates to help you document your processing activities.