The Compliance Officer's Checklist for Deploying AI Under POPIA

Most AI projects stall not in engineering but at sign-off, when a compliance officer is asked to approve something they were not involved in designing. This checklist is written for that moment. It walks the POPIA obligations that an AI system has to satisfy, in the order you should check them, and names the evidence you will be asked to produce. It is general guidance, not legal advice.

1. Lawful basis (Section 11)

Before anything else, establish the lawful basis for every piece of personal information the system processes — including training data, prompts, and retrieved documents. Section 11 requires processing to rest on a ground such as consent, contractual necessity, legal obligation, or legitimate interest. The checklist item: for each data flow, name the ground and the evidence for it. If you cannot name the ground, you cannot deploy.

2. Purpose specification and minimisation

POPIA requires that data be collected for a specific purpose and not used beyond it, and that you process the minimum necessary. For AI this bites hardest on prompts: systems routinely send a whole customer record when the task needs one field. The checklist item: confirm each inference sends only the data the task requires, and that the AI use was within the purpose the data was collected for.

3. Security safeguards (Section 19)

Section 19 requires appropriate technical and organisational measures to secure personal information — encryption in transit and at rest, access controls, and protection of any vector store or index that now holds embeddings of personal data. The checklist item: confirm the vector database, the document store, and the logs are encrypted, access-controlled, and in-region. Embeddings derived from personal data are themselves personal data.

4. Cross-border transfers (Section 72)

If any personal information leaves South Africa — most commonly to an offshore model endpoint — Section 72 requires a ground: adequate-protection agreement, consent, or contractual necessity. The cleanest answer is to keep inference in-region so the question never arises. The checklist item: confirm where model inference runs, and if it is offshore, produce the transfer ground. Full detail is in the Section 72 piece.

5. Bias, explainability, and automated decisions

Where the system makes or materially supports decisions about people, you need evidence that it has been tested for bias across protected groups and that individual decisions can be explained. In practice this means fairness metrics (e.g. Fairlearn) and per-prediction attribution (e.g. SHAP), documented. The checklist item: produce a bias report and an explainability artefact for each decisioning model.

6. The audit trail

Finally, the system must be able to answer, after the fact, four questions in one query: who used what, on which data, with which model, under which lawful basis. If those cannot be answered, none of the items above can be proven when it matters. The checklist item: confirm the audit log captures all four per inference. This is what a Governance Hub exists to provide — see the governance piece.

Getting to sign-off faster

Our AI Governance & Ethics Audit runs this checklist against an existing or planned system, maps the gaps against Sections 11, 19, and 72, and produces a board-ready report signed by a registered Information Officer. The statutory background is in the POPIA sections deep-dive, and our standing posture is on the POPIA page.