Over the last several years, there have been a number of generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018.
Earlier this year, California released The California Consumer Privacy Act (CCPA), which took an even broader view than the GDPR of what’s considered private data.
The most recent privacy law? South Africa’s Protection of Personal Information Act (POPIA). Note: The POPIA initially passed in 2013 but spent seven years in limbo, until it finally came into effect on July 1, 2020.
It’s essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.
The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either:
That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country.
We have good news, though. POPIA has a one-year transition period, so all affected businesses have until July 1, 2021 to ensure compliance. After this day, the South African Information Regulator will begin enforcing the law and fining non-compliant companies.
Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.
You have to remember, compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third-parties.
So, what is “personal information”? The POPIA defines “personal information” as:
“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person”
Within this definition:
Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too.
Below is a non-exhaustive list of examples of personal information provided within the POPIA:
This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website.
In preparation for the July 1, 2021 enforcement deadline, you should conduct an audit of all the personal information your business handles. You’ll need to determine whether you are meeting the POPIA’s conditions for lawful processing, including applying appropriate data security safeguards.
We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.”
A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA.
An “operator” is “a person who processes personal information for a responsible party” but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA.
Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible parties authorization. In the event of a data breach, they must notify the responsible party immediately.
Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations). They must also monitor the operator’s activities to ensure that it meets its data security operations.
In fewer words: everyone is responsible on some level for ensuring safe (and compliant) data processing.
In good time for July 1, 2021, you’ll need to review all contracts with business partners who process personal information on your behalf. Such companies may include marketing companies, recruitment companies, and web analytics providers.
You may need to adjust your service contracts so that they include a requirement to safeguard personal information.
Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal”, we’ll explore perhaps the most important concept: How to lawfully process data under the POPIA.
The POPIA provides a set of eight conditions businesses must satisfy when processing personal information. To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR.
In brief, the eight conditions for lawful processing are:
But, there are additional requirements for particularly sensitive information.
Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include:
Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds:
When conducting your audit ahead of July 1, 2021, make sure you classify data correctly and set-up specific processes and security measures to safeguard this special personal information”.
We know what you’re thinking: what steps can I actually take to ensure every individual, team, and department across my organization safely processes data?
Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of, damage to, and unauthorized access to personal information.
The POPIA sets out four broad ways in which responsible parties must secure personal information:
The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information.
There’s a lot to unpack here. But, it all comes down to data loss prevention (DLP). While you can read all about DLP in this article: What is Data Loss Prevention – A Complete Guide to DLP, we’ll outline the different “types” of DLP below.
Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded.
Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.
Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.
It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB.
Email is the threat vector security and IT leaders are most concerned about, Why? Because both inbound and outbound traffic pose serious security threats. According to data from Verizon, email is the main entry point for social engineering attacks like phishing and incidents involving Insider Threats have increased by 47% over the last two years.
And, we can’t forget about accidental data loss – like misdirected emails – which is actually the most frequently reported security incident under the GDPR.
But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities?
Once you have appointed your Information Officer, you must register them with the Information Regulator.
But, what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You have to notify relevant bodies.
If personal information is subject to unauthorized access, (i.e., a data breach occurs), responsible parties must notify:
Importantly, this must happen “as soon as reasonably possible” and should include:
This is a lot of work and one of the reasons why investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.
Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including:
The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to:
Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator.
For more information about how much business’ have been fined under other data protection laws, check out this article: 4 Biggest GDPR Fines of 2020 (So Far).
If you take nothing else away from this article, it should be that compliance and security go hand-in-hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy.
Wondering what’s top-of-mind for other security leaders when it comes to DLP? Download the report below.