POPIA Implementation: Appointment and Registration of Information Officers

The information regulator (IR) has recently issued their Guidance Note on Information Officers and Deputy Information Officers . This is an important step in clarifying the position of Information Officers (IOs) and Deputy Information Officers (DIOs)within organisations.

The IO of an organisation is theperson who is responsible for their data privacy compliance. The Guidance Note has a useful table setting out exactly who the IR will see asIO for various bodies.

This article is only focusing on private bodies.


Nature of the Body Identity of Information Officer
Private Body Natural Person A natural person who carries on any trade, business or profession, but only in such capacity or any person duly authorised by that natural person.
Partnership Any partner of the partnership or any person duly authorised by the partnership.
Juristic Person Chief Executive Officer or the Managing Director or equivalent officer of the juristic person or any person duly authorised by that officer or any person who is acting as such or any person duly authorised by such acting person.


The net result of the above is that the IO is, by default, the head of an organisation. This is unless an IO is appointed in terms of the abovementioned guidance note. Even when appointed, however, they may only take up this appointment once registered with the IR.

Some risk can be conferred to this appointed IO as they are required to be senior within the organisation. The person ultimately responsible for POPIA and PAIA compliance will, however, always be the head of the company. This is important as the Guidance Note confirms that an Information Officer may (on conviction) be held criminally liable for certain offences in terms of the PAIA.

If your company is a multinational (and operating in South Africa) you will be required to designate a person within South Africa as your IO.

The IO is then responsible for compliance with the POPIA and the PAIA. This can be by whatever means they deem appropriate (as the legislation is principle based and not prescriptive) but in terms of Regulation 4 of the POPIA Regulations they must, at least ensure that:


  • a compliance framework is developed, implemented, monitored and maintained;
  • a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
  • internal measures are developed together with adequate systems to process requests for information or access thereto; and
  • internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.

Sections 56 of the POPIA and 17 of the PAIA, allow for the appointment of any number of DIOs who may be conferred any power or responsibility of the IO. The need for a DIO, or DIOs, must be determined using the structure and size of an organisation. While the Guidance Note states that all multinationals must appoint a DIO in South Africa.

Only sufficiently qualified employees may be designated, in writing, as DIOs (from manager level and above). Whereafter they are to be given sufficient time, resources, training and budget to comply with their delegated responsibilities.

The DIOs are to act as the “face” of data privacy for an organisation. They are the people who will likely run the day-to-day activities of data privacy within an organisation. The IO, however may step in at any time as the IO is the person ultimately responsible.

Both IOs and DIOs need to be registered with the IR, starting from 1 May 2021. 

In a media statement [Link:] the IR stated that it is creating an online portal to facilitate the registration of IOs. This portal should be online by the end of April. The portal, however, has yet to be launched. Consequently, we would recommend manually making manual appointments using the form issued by the IR [Link:].

Internally, there should be an appointment letter issued and signed by the IO and/or DIOs. The internal appointment letter must capture, at a minimum, the same level of detail as set out in the Guidance Note but should also capture specificities of the company – which may need to remain confidential, such as Research and Development. This letter is especially important if the IO and/or DIOs have dual roles.

Should you need assistance in appointing, training or registering your IOs or DIOs, contact one of our data privacy experts here at Atvance Intellect.


to connect with our expert 

Brendon Ambrose

A smart and simple solution to cyber-risk to stop losing systems and data to the cybercrime quicksand
Het beschermen van gegevens, privacy en persoonlijke identiteit in de maalstroom dat
The safeguarding and protection of data should not be a box ticking exercise
Concept straight out of a 70s science fiction movie
Ransomware, de haai die maar niet opgeeft in de zee van cybercriminaliteit.
In January and February 2021, 37% of global organisations fell victim to ransomware
An intelligent guide, to intelligent privacy
Compliance is a benefit, not a complication
Welcome to the intelligent city of the future where the world isn’t just smart, it’s fast
De ontbrekende schakel: verbonden edge computing
Is anybody listening to organisations as they struggle with data volumes, complexity and cost?
Are you required to register your Information Officer and Deputy
How security and strategy combine to deliver business resilience and capability
Defending against cybercriminals is a complex, ever-evolving, and never-ending challenge
You cannot afford to be complacent about compliance
Let’s ask the big one. Why do we believe technology is the future?