Over the last several years, there have been a number of generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018.
Earlier this year, California released The California Consumer Privacy Act (CCPA), which took an even broader view than the GDPR of what’s considered private data.
The most recent privacy law? South Africa’s Protection of Personal Information Act (POPIA). Note: The POPIA initially passed in 2013 but spent seven years in limbo, until it finally came into effect on July 1, 2020.
It’s essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.
What businesses does the POPIA apply to?
The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either:
Based in South Africa, or
Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through South Africa)
That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country.
We have good news, though. POPIA has a one-year transition period, so all affected businesses have until July 1, 2021 to ensure compliance. After this day, the South African Information Regulator will begin enforcing the law and fining non-compliant companies.
Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.
What’s considered “personal information” under the POPIA?
You have to remember, compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third-parties.
So, what is “personal information”? The POPIA defines “personal information” as:
“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person”
Within this definition:
A “natural person” means an individual.
An “existing juristic person” means a “legal person,” such as a corporation or charity.
Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too.
Below is a non-exhaustive list of examples of personal information provided within the POPIA:
Information relating to:
Physical or mental health
Information about a person’s
An ID number, email address, phone number, or online identifier
A person’s opinions or preferences
Opinions about a person
A name, if the context in which the name is disclosed would reveal something about a person
This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website.
Who’s liable under the POPIA?
We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.”
What is a “responsible party”?
A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA.
What is an “operator”
An “operator” is “a person who processes personal information for a responsible party” but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA.
Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible parties authorization. In the event of a data breach, they must notify the responsible party immediately.
Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations). They must also monitor the operator’s activities to ensure that it meets its data security operations.
In fewer words: everyone is responsible on some level for ensuring safe (and compliant) data processing.
You may need to adjust your service contracts so that they include a requirement to safeguard personal information.
Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal”, we’ll explore perhaps the most important concept: How to lawfully process data under the POPIA.
How do I lawfully process data under the POPIA?
The POPIA provides a set of eight conditions businesses must satisfy when processing personal information. To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR.
In brief, the eight conditions for lawful processing are:
Accountability: You must ensure POPIA compliance in respect of all the personal information in your control.
Lawfulness: You must only collect personal information if it is adequate and non-excessive. You must have a legally justifiable reason for collecting personal information. Where possible, you must collect personal information directly from the data subject.
Purpose specification: You must only collect personal information for a specific purpose, and you must not store it for longer than necessary to meet that purpose.
Further processing limitation: You may only process personal information for further purposes if they are compatible with the reason you collected it.
Information quality: You must ensure the personal information you maintain is accurate and complete.
Openness: You must be transparent about how you provide personal information and provide consumers with notice about how and why you process their personal information.
Security safeguards: You must take reasonable steps to secure the personal information in your control, and you must report any data breaches as soon as reasonably possible.
Data subject participation: You must allow data subjects to access their personal information and correct or erase any inaccurate personal information.
But, there are additional requirements for particularly sensitive information.
What types of information are considered “special” under the POPIA?
Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include:
Religious or philosophical beliefs
Race or ethnic origin
Trade union membership
Health or sex life
Information about criminal behavior, including:
Alleged offenses that have been committed by the individual
Proceedings that may have taken place regarding the alleged offenses
Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds:
With the consent of the data subject
To exercise or defend your legal rights or obligations
To comply with an obligation under international public law
For historical, statistical, or research purposes in the public interest
Where the information has been made public by the data subject
How can cybersecurity help me stay compliant with the POPIA?
We know what you’re thinking: what steps can I actually take to ensure every individual, team, and department across my organization safely processes data?
Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of, damage to, and unauthorized access to personal information.
The POPIA sets out four broad ways in which responsible parties must secure personal information:
Identify internal and external risks
Establish and maintain safeguards
Regularly verify safeguards
Continually update safeguards
The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information.
There’s a lot to unpack here. But, it all comes down to data loss prevention (DLP). While you can read all about DLP in this article: What is Data Loss Prevention – A Complete Guide to DLP, we’ll outline the different “types” of DLP below.
Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded.
Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.
Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.
It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB.
Email is the threat vector security and IT leaders are most concerned about, Why? Because both inbound and outbound traffic pose serious security threats. According to data from Verizon, email is the main entry point for social engineering attacks like phishing and incidents involving Insider Threats have increased by 47% over the last two years.
And, we can’t forget about accidental data loss – like misdirected emails – which is actually the most frequently reported security incident under the GDPR.
Learn more about how Tessian detects and prevents both inbound and outbound threats on email to help organizations around the world stay compliant.
But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities?
Encouraging the organization to comply with the conditions for lawful processing
Assisting data subjects with requests to access their personal information
Working with the Information Regulator in the event of an investigation
Otherwise ensuring that the organization complies with the POPIA
Once you have appointed your Information Officer, you must register them with the Information Regulator.
But, what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You have to notify relevant bodies.
What do I do in the event of a breach?
If personal information is subject to unauthorized access, (i.e., a data breach occurs), responsible parties must notify:
The Information Regulator, and
The affected data subjects
Importantly, this must happen “as soon as reasonably possible” and should include:
A description of the consequences of the breach
An explanation of what the responsible party has done to contain the breach
Advice to the data subjects regarding how to mitigate the impact of the breach
The identity of anyone who may have accessed the personal information (if known)
This is a lot of work and one of the reasons why investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.
What are the penalties under the POPIA?
Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including:
A fine of between 1 million and 10 million ZAR (approximately $60,000 – $600,000 USD)
Imprisonment for a term of up to ten years
Both a fine and a prison term
The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to:
“Actual damages,” to compensate data subjects for any losses they have incurred
“Aggravated damages,” to compensate data subjects for the distress they have experienced
Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator.
For more information about how much business’ have been fined under other data protection laws, check out this article: 4 Biggest GDPR Fines of 2020 (So Far).
If you take nothing else away from this article, it should be that compliance and security go hand-in-hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy.
Wondering what’s top-of-mind for other security leaders when it comes to DLP? Download the report below.