The Protection of Personal Information (POPI) Act is a piece of South African legislation that aims to ensure effective management of any personal data processed by both private and public bodies. The POPI Act became law in November 2013, but the Act has not yet been fully enacted. Once the implementation date is confirmed, organizations operating business in South Africa will have one year to ensure that they are POPI compliant.
Personal data under POPI is defined as information that relates to an individual or juristic person. Gender, employment history and email address are a few examples of what POPI defines as personal information. Since there are different criteria for how organizations classify personal and non personal information, POPI will affect the way that organizations manage this. For example, organizations will have to take any consumer data that they may hold and classify what type of information it is.
In the instance that a data breach occurs, organizations will have to report the breach to the Information Regulator as well as the affected parties. Under POPI, organizations could be fined up to R10 million (approximately £538k), and sentences could even could include jail time of up to 10 years depending on the seriousness of the breach. Finally, organizations could face significant reputational damage in the form of customer loss and limited ability to attract new clients.
POPI and GDPR
POPI makes it imperative for businesses based in and dealing with South Africa to comply with newly stringent data protection regulations, but South African businesses may be wondering how the Act intersects with other global data legislation. Rulings like he European Union’s General Data Protection Regulation (GDPR) also has ramifications for organizations around the world, of course. Businesses in South Africa that process customer data from the European Union must also ensure they are fully compliant with GDPR.
How to remain POPI compliant
Acknowledging the ever-present risk of data breaches is an essential part of the role for security leaders. Traditionally, data controllers tend to focus on malicious threats such as ransomware or brute force cyberattacks. However, human error is increasingly putting organizations at risk. For example, human error was the root cause of 30% of data breaches in South Africa, which is higher than the global average of 26%. Mistakes made due to human error could include an employee accidentally sending a misdirected email to the wrong recipient or hitting the “reply all” or “cc” field instead of “bcc.” In both cases, the employee is not acting maliciously, but the impact is that sensitive information is still exposed.
POPI will have an impact on all companies in South Africa, but it will be particularly important for organizations that hold large amounts of personal information to take the right steps early on to ensure that they are POPI compliant. Implementing the right technology will help your organization stay proactive with your security strategy. Forward-thinking firms in all sectors are choosing Tessian to manage the way in which data moves on email. Enforcer and Constructor’s machine learning allows organizations to prevent data from being transferred to non-compliant destinations. With cutting-edge technology, businesses can ensure that they remain compliant amid changing regulations.
To learn more about how Tessian could help you become POPI compliant, contact us here.