South Africa’s Protection of Personal Information Act (POPIA) Compliance

Following in the footsteps of GDPR, CCPA, and LGPD, South Africa’s data privacy law, Protection of Personal Information Act (POPIA), took effect on July 1^st, 2020, with an effective date for enforcement of July 1^st, 2021. What this means is that affected organizations have a year to prepare and should take advantage of the grace period to stay ahead of requirements.

POPIA is modeled after the EU’s GDPR, as many recent data privacy laws and frameworks have been. By doing so POPIA grants users rights over how their data is handled, including eight minimum requirements for data processors and the creation of a regulatory body, the Information Regulator (SAIR).

What’s interesting about POPIA is that it was initially drafted in the early 2000s modeled after the EU’s ePrivacy Directive, however it was tabled, modified over time, and eventually left in limbo until it started being implemented piece-by-piece in the mid-2010s. Furthermore, POPIA replaces personal information provisions from South Africa’s existing Electronic Communications and Transactions Act (ECTA).

So, with all this said, what does the Protection of Personal Information Act entail in 2020 and beyond?

Who Does POPIA Apply To & What Does That Mean?

POPIA applies to any company or organization, I.e. a responsible party, that processes POPIA’s definition of personal information in South Africa. If you’re familiar with other data privacy laws, this differs in that data processing that occurs outside South Africa is not protected (even if the data being processed belongs to a South African data subject).

Those who process data on behalf of a responsible party, I.e. an operator, must also be aware of POPIA’s requirements, however it is ultimately the responsible party who must ensure lawful processing of personal information even when processed by an operator.

POPIA also requires end-user consent before processing personal information, with additional requirements and safeguards for “special personal information”. Additionally, end-users can withdraw this consent at any time.

For clarity, POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.

However, there are exceptions where consent is not necessary, including protection of “legitimate interests” of data subjects as well as obligations imposed by law on the responsible party. This can lead to some ambiguity in how POPIA will be enforced, which will become clearer in 2021 when enforcement begins by the regulatory body (SAIR).

As a definition of personal information, POPIA broadly includes any information relating to a living person, company, or legal entity. This is an important distinction, as many data privacy laws only target living persons for protections while POPIA extends the range of who is protected.

Personal information includes, but is not limited to:

• Names, addresses, phone numbers
• Age, date of birth, appearance, gender, sexual orientation
• Employment history, financial information, education history
• Email addresses, IP addresses, location data, browser/search history, cookies/trackers
• Health and medical information

This definition is also further broken down into the category “special personal information”, which includes religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, as well as criminal records or alleged criminal offenses.

Organizations handling personal information must take specific precautions to prevent loss, damage, or unauthorized access to said personal information, and must report any unauthorized access, I.e. a breach, to the Information Regulator (SAIR).

What Rights Does POPIA Grant Users?

POPIA creates several rights for South African citizens, also known as data subjects. In broad terms, these rights include the right to access, the right to correction, and the right to deletion of personal information.

Under POPIA, data subject rights include the:

• Right to be notified that personal information about them is being collected or that personal information has been accessed or acquired by an unauthorized person
• Right to establish whether a responsible party holds their personal information and to request access to their personal information
• Right to request the correction, destruction, or deletion of their personal information
• Right to object to the processing of their personal information
• Right to not to be subject to a decision which is based solely on the automated processing of their personal information intended to provide a profile of them
• Right to submit a complaint to the POPIA regulatory body (SAIR) regarding interference with the protection of the personal information of any data subject
• Right to institute civil proceedings regarding interference with the protection of their personal information

The full list of user rights granted by POPIA can be found in Chapter 2 of the written act, under “Rights of data subjects”.

An additional note about user rights is that personal information should be deleted or “de-identified” as soon as the purpose for collecting said data has been achieved. However, to accommodate data subject requests organizations need to retain personal information long enough for data subjects to request access to it.

As with other requirements under POPIA, there are exceptions such as when data must be retained by law.

Lawful Data Processing & Additional POPIA Requirements

In addition to requirements for data subject consent, POPIA also defines what lawful data processing is via the eight conditions outlined in Chapter 3 of the written act:

• Accountability – Data processing must be lawful and does not violate privacy rights
• Processing limitation – Data is only processed to achieve a specific purpose
• Purpose specification – The purpose for data processing must be defined
• Further processing limitation – Additional processing must be within the original purpose the user consented to
• Information quality – Processed data must be accurate and up to date
• Openness – Data processing workflows must be documented
• Security safeguards – Processed data must be protected and secured
• Data subject participation – Data subjects must have rights to access, correction, and deletion of personal information

If these conditions cannot be met, then personal information cannot lawfully be processed under POPIA.

Data transfers of personal information to foreign countries that don’t provide adequate levels of protection are also prohibited by POPIA, although there are exceptions listed in Chapter 9 (Transborder Information Flows).

For official positions within an organization, POPIA requires the appointment of an Information Officer and a Deputy Information Officer, similar to GDPR’s requirement for a Data Protection Officer.

Responsibilities of the Information Officer include:

• Encourage and ensure compliance of POPIA
• Respond to and handle data subject requests regarding their personal information
• Work with the Information Regulator (SAIR) regarding breaches, violations, and investigations

Finally, it should also be noted that organizations found to be in non-compliance with POPIA risk fines of up to 10 million ZAR, or roughly $650,000 USD, as well as imprisonment up to 10 years for serious offenses.

Putting It All Together

All this information can seem overwhelming, however, the primary requirements for POPIA compliance are outlined below.

• Confirm if your organization is subject to POPIA compliance
• Get user consent before processing personal information
• Ensure all personal information is processed in a manner compliant with the eight conditions outlined by POPIA (I.e. lawful processing)
• Be able to respond to data subject requests per rights granted by POPIA
• Locate all personal information stored by your organization and ensure it is properly protected
• Delete or “de-identify” personal information once the purpose for collecting the information has been achieved
• Ensure data transfers out of South Africa are to countries that can provide adequate protection
• In cases where consent or adequate protection cannot be guaranteed, verify if there’s a legal exception in POPIA that still allows data processing or transport
• Appoint an Information Officer and a Deputy Information Officer
• Update your privacy policy to include POPIA compliance

These steps are a solid jumping off point, however organizations that must comply with POPIA should become familiar with the full legal text (found here).

How Stealthbits Helps with POPIA Compliance

In order to comply with POPIA, Stealthbits provides a range of capabilities that allow organizations to identify, secure, and report on personal information.

StealthAUDIT, a full-fledged Data Access Governance (DAG) solution, includes: 

Host Discovery: Identify the different platforms within the network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s data privacy footprint. 

Sensitive Data Discovery: Capabilities that analyze content for patterns or keywords that match built-in or customized criteria related to data privacy. 

Remediation Actions: Automate all or portions of the tasks needed to demonstrate compliance with POPIA and a myriad of other regulatory standards, such as GDPR, CCPA, and LGPD.

With StealthAUDIT, automatically discover where unstructured and structured data exists across your network, scan those files for sensitive data, classify and tag each sensitive file, automatically clean-up stale files, and more.

Workflows StealthAUDIT helps with include:

• Understanding access rights, permissions, activity, data sensitivity, ownership, and file metadata across unstructured and structured data sources 
• Implementing a least privilege access model, ensuring access rights and permissions are limited to only what users need 
• Monitoring and securing Active Directory to prevent unauthorized access to data resources and mitigate risks associated with account compromise and privilege escalation 
• Maintaining a full, searchable audit trail of all file access activities, Active Directory changes, account authentications, and more for forensic investigations and auditors

Learn more about how Stealthbits can help protect your organization’s data and Active Directory here.