Abstract
The Internet of Things (IoT) devices has revolutionised the way people do things from
agriculture to insurance to healthcare by offering many benefits to individuals and
organisations. These smart devices collect, process and store personal information. However,
handling users' personal information comes with privacy challenges, such as user identification,
profiling, and user tracking. Many countries have designed and implemented privacy laws so
that anyone handling personal information must adhere to them to reduce privacy challenges.
In South Africa, the Protection of Personal Information (POPI) Act was enacted in 2013. As of
the 1st of July 2021, private and public sectors that collect, process and store personal
information are expected to comply with the POPI Act. IoT technology is not exempted from
adhering to the act.
The search for a privacy compliance measuring tool for IoT devices has resulted in various
research frameworks and evaluation models to support IoT privacy. These frameworks and
evaluation models greatly assist with preserving data subjects' privacy, but unfortunately, do
not provide guidelines for maintaining privacy through compliance with privacy regulations.
The research conducted in this dissertation proposes the PPC-ID (POPI Act privacy compliance
framework for Internet of Things devices) framework to evaluate how IoT devices comply with
the condition of the POPI Act. The framework assesses five IoT privacy challenges: user
consent acquisition, user identification, profiling, user control, and user tracking. The PPC-ID
framework measures the compliance of an IoT device with the POPI Act and produces a
dashboard that provides a visual representation of metrics that describe the compliance.