The POPI Act, or POPIA, is South Africa’s data protection law. The “Protection of Personal Information Act” is equivalent to the EU’s GDPR. It answers the questions of how, why, and who can collect, store and distribute sensitive data. What exactly does that mean, and how can you make sure your organization complies with the regulation?
Let’s dive deeper into what the POPIA is before we discuss concrete steps that your organization needs to take in order to comply with the regulation.
What is the scope of POPIA?
Every entity, private or public, that is either domiciled in South Africa or not domiciled in South Africa but processes personal information in South Africa falls under POPIA’s scope.
First, let’s take a look at some definitions.
“Personal information” is defined very broadly in the POPIA and includes:
- Any kind of ID or contact information
- Biometrics
- Demographic information (language, race, marital status, etc.)
- Information about education
- Usernames and passwords
- Financial, employment, and criminal records
Unlike the GDPR, POPIA protects not only the data of living persons but also that of other companies and organizations.
By “processing”, POPIA means any operation or activity concerning personal information. This, again, results in a very wide scope of actions, such as the collection, receipt, recording, storage, distribution, or destruction of personal data, to name a few.
Certain exemptions exist, such as for public bodies that process personal information for purposes of national security or other similar reasons. You are also exempt from POPIA if you are dealing with personal information related to regular household activities.
What is the purpose of POPIA?
The purpose of the POPIA is to safeguard personal data from theft, misuse, and malicious actions. POPIA’s rules are designed to “give effect to the constitutional right of privacy“.
In general, the POPIA does 3 things:
- Outlines 8 conditions under which any person or organization can lawfully process sensitive information.
- Describes fines and penalties for non-compliance.
- Sets up an Information Regulator that serves as the body that promotes and enforces the POPI Act.
A brief summary of POPIA’s 8 conditions
Compliance with the 8 conditions is mandatory for both public and private entities under POPIA. Those conditions are:
- Accountability
Whoever processes the personal information must comply with the provisions of POPIA.
- Processing limitation
Only relevant personal information can be processed.
- Purpose specification
The purpose of data collection must be defined. Data can’t be kept any longer than necessary.
- Further processing limitation
The consequences of the means of collecting personal data and its sharing must be considered.
- Information quality
The collected personal information must be correct and not misleading.
- Openness
The purpose of data collection must be clearly stated, and explicit consent received.
- Security safeguards
Collected personal information must be protected from loss, damage, and unlawful access.
- Data subject participation
Anyone can request to see which of their personal information is being stored, as well as to have records removed.
How to comply with POPIA
The one-year grace period to comply with POPIA ended on 30 June 2021, meaning it started being enforced on 1 July 2021.
To stay on the right side of the law, your organization will have to take various steps to comply with the 8 conditions of POPIA. These steps will include:
- Appointing an Information Officer. The Officer will be responsible for overseeing that the organization is POPIA compliant and will be communicating with the Information Regulator.
- Outward-facing: Publishing a privacy policy in which you explain all of your rights and responsibilities relating to the processing of personal data.
- Internal requirements: Educating employees, implementing processes, updating technology, amending contracts with suppliers, ensuring proper reporting of data breaches, etc.
As with any regulatory compliance, you’ll first want to complete a gap analysis to map out where your organization stands on the various requirements. The appointment of an Information Office will also be an important step towards positioning yourself towards satisfying all of POPIA’s stipulations.
Remember, data protection is an ongoing process and will require constant monitoring and management.
How Safetica Secures Your Data For POPIA Compliance?
- Safetica encrypts your data and keeps it protected in case of device loss or theft.
- Safetica is a DLP solution that protects your data against insider threats. Define which operations can be risky and block them or make Safetica notify you and your employees about potential risks.
- With Safetica, it is easy to adopt security policies and define authorized employees that can work with your sensitive files. You can set your security policies and monitor whether your company’s sensitive data is being misused and only allow authorized individuals to access it.
- Educate your employees on a regular basis. Safetica notifies your employees in the event of risky operations so they are more aware of data security.
- Secure your workplace, and adopt policies on how to work with sensitive documents. Safetica performs security audits and provides you with regular reports that allow you to adjust your security policies.
Let's talk about data security