Courses

Accountability-first approach: Understand ROPAs as the primary mechanism for demonstrating accountability under POPIA and GDPR—not just a compliance artefact.

Regulator-ready by design: Learn how regulators and auditors actually use ROPAs during investigations, audits, and breach follow-ups.

POPIA & GDPR aligned: Covers GDPR Article 30 alongside South Africa’s POPIA Section 17, PAIA record-keeping duties, and Information Officer obligations.

Purpose and legal basis: The course opens by explaining why DPAs are essential instruments for assigning responsibilities between controllers and processors. It notes that laws like POPIA and the GDPR make such agreements mandatory and that failing to implement a compliant DPA can expose organisations to significant liability

Understanding roles and triggers: Early modules clarify the distinction between controllers, processors and sub‑processors. They discuss when a DPA is required and how to recognise the need for data‑processing clauses in broader contracts. The difference between a full DPA and a data‑processing addendum is also addressed.

Core clauses and obligations: Participants learn the mandatory elements that must appear in a DPA, such as the scope of processing, security measures, sub‑processing approvals, breach notification and assistance with data‑subject rights. There is emphasis on tailoring these provisions to meet the expectations of POPIA, the GDPR, UK GDPR, US state laws and other regional frameworks.