Following in the footsteps of GDPR, CCPA, and LGPD, South Africa’s data privacy law, Protection of Personal Information Act (POPIA), took effect on July 1st, 2020, with an effective date for enforcement of July 1st, 2021. What this means is that affected organizations have a year to prepare and should take advantage of the grace period to stay ahead of requirements.
POPIA is modeled after the EU’s GDPR, as many recent data privacy laws and frameworks have been. By doing so POPIA grants users rights over how their data is handled, including eight minimum requirements for data processors and the creation of a regulatory body, the Information Regulator (SAIR).
What’s interesting about POPIA is that it was initially drafted in the early 2000s modeled after the EU’s ePrivacy Directive, however it was tabled, modified over time, and eventually left in limbo until it started being implemented piece-by-piece in the mid-2010s. Furthermore, POPIA replaces personal information provisions from South Africa’s existing Electronic Communications and Transactions Act (ECTA).
So, with all this said, what does the Protection of Personal Information Act entail in 2020 and beyond?
POPIA applies to any company or organization, I.e. a responsible party, that processes POPIA’s definition of personal information in South Africa. If you’re familiar with other data privacy laws, this differs in that data processing that occurs outside South Africa is not protected (even if the data being processed belongs to a South African data subject).
Those who process data on behalf of a responsible party, I.e. an operator, must also be aware of POPIA’s requirements, however it is ultimately the responsible party who must ensure lawful processing of personal information even when processed by an operator.
POPIA also requires end-user consent before processing personal information, with additional requirements and safeguards for “special personal information”. Additionally, end-users can withdraw this consent at any time.
For clarity, POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.
However, there are exceptions where consent is not necessary, including protection of “legitimate interests” of data subjects as well as obligations imposed by law on the responsible party. This can lead to some ambiguity in how POPIA will be enforced, which will become clearer in 2021 when enforcement begins by the regulatory body (SAIR).
As a definition of personal information, POPIA broadly includes any information relating to a living person, company, or legal entity. This is an important distinction, as many data privacy laws only target living persons for protections while POPIA extends the range of who is protected.
Personal information includes, but is not limited to:
This definition is also further broken down into the category “special personal information”, which includes religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, as well as criminal records or alleged criminal offenses.
Organizations handling personal information must take specific precautions to prevent loss, damage, or unauthorized access to said personal information, and must report any unauthorized access, I.e. a breach, to the Information Regulator (SAIR).
POPIA creates several rights for South African citizens, also known as data subjects. In broad terms, these rights include the right to access, the right to correction, and the right to deletion of personal information.
Under POPIA, data subject rights include the:
The full list of user rights granted by POPIA can be found in Chapter 2 of the written act, under “Rights of data subjects”.
An additional note about user rights is that personal information should be deleted or “de-identified” as soon as the purpose for collecting said data has been achieved. However, to accommodate data subject requests organizations need to retain personal information long enough for data subjects to request access to it.
As with other requirements under POPIA, there are exceptions such as when data must be retained by law.
In addition to requirements for data subject consent, POPIA also defines what lawful data processing is via the eight conditions outlined in Chapter 3 of the written act:
If these conditions cannot be met, then personal information cannot lawfully be processed under POPIA.
Data transfers of personal information to foreign countries that don’t provide adequate levels of protection are also prohibited by POPIA, although there are exceptions listed in Chapter 9 (Transborder Information Flows).
For official positions within an organization, POPIA requires the appointment of an Information Officer and a Deputy Information Officer, similar to GDPR’s requirement for a Data Protection Officer.
Responsibilities of the Information Officer include:
Finally, it should also be noted that organizations found to be in non-compliance with POPIA risk fines of up to 10 million ZAR, or roughly $650,000 USD, as well as imprisonment up to 10 years for serious offenses.
All this information can seem overwhelming, however, the primary requirements for POPIA compliance are outlined below.
These steps are a solid jumping off point, however organizations that must comply with POPIA should become familiar with the full legal text (found here).
In order to comply with POPIA, Stealthbits provides a range of capabilities that allow organizations to identify, secure, and report on personal information.
Host Discovery: Identify the different platforms within the network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s data privacy footprint.
Sensitive Data Discovery: Capabilities that analyze content for patterns or keywords that match built-in or customized criteria related to data privacy.
Remediation Actions: Automate all or portions of the tasks needed to demonstrate compliance with POPIA and a myriad of other regulatory standards, such as GDPR, CCPA, and LGPD.
With StealthAUDIT, automatically discover where unstructured and structured data exists across your network, scan those files for sensitive data, classify and tag each sensitive file, automatically clean-up stale files, and more.
Workflows StealthAUDIT helps with include:
Learn more about how Stealthbits can help protect your organization’s data and Active Directory here.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.