Ultimate Guide to The POPIA – South Africa’s Privacy Law

  • 03 September 2020

Over the last several years, there have been a number of generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018. 

Earlier this year, California released The California Consumer Privacy Act (CCPA), which took an even broader view than the GDPR of what’s considered private data. 

The most recent privacy law? South Africa’s Protection of Personal Information Act (POPIA). Note: The POPIA initially passed in 2013 but spent seven years in limbo, until it finally came into effect on July 1, 2020.

It’s essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.

What businesses does the POPIA apply to?

The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either:

  • Based in South Africa, or
  • Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through South Africa)

That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country.

We have good news, though. POPIA has a one-year transition period, so all affected businesses have until July 1, 2021 to ensure compliance. After this day, the South African Information Regulator will begin enforcing the law and fining non-compliant companies.

Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.

“The POPIA defines “personal information” as “Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person” ”

What’s considered “personal information” under the POPIA?

You have to remember, compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third-parties. 

So, what is “personal information”? The POPIA defines “personal information” as:

“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person

Within this definition:

  • A “natural person” means an individual.
  • An “existing juristic person” means a “legal person,” such as a corporation or charity.

Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too.

Below is a non-exhaustive list of examples of personal information provided within the POPIA:

  1. Information relating to:
    • Race 
    • Gender 
    • Physical or mental health 
    • Belief
  2. Information about a person’s 
    • Education
    • Medical history
    • Financial history
  3. An ID number, email address, phone number, or online identifier
  4. Biometric information
  5. A person’s opinions or preferences
  6. Private correspondence
  7. Opinions about a person
  8. A name, if the context in which the name is disclosed would reveal something about a person

This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website. 

  • Compliance Tip

    In preparation for the July 1, 2021 enforcement deadline, you should conduct an audit of all the personal information your business handles. You’ll need to determine whether you are meeting the POPIA’s conditions for lawful processing, including applying appropriate data security safeguards.

Who’s liable under the POPIA?

We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.”

What is a “responsible party”?

A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA.

What is an “operator”

An “operator” is “a person who processes personal information for a responsible party” but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA.

Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible parties authorization. In the event of a data breach, they must notify the responsible party immediately. 

Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations).  They must also monitor the operator’s activities to ensure that it meets its data security operations.

In fewer words: everyone is responsible on some level for ensuring safe (and compliant) data processing.

  • Compliance Tip

    In good time for July 1, 2021, you’ll need to review all contracts with business partners who process personal information on your behalf. Such companies may include marketing companies, recruitment companies, and web analytics providers.

You may need to adjust your service contracts so that they include a requirement to safeguard personal information.

Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal”, we’ll explore perhaps the most important concept: How to lawfully process data under the POPIA.

How do I lawfully process data under the POPIA?

The POPIA provides a set of eight conditions businesses must satisfy when processing personal information.  To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR. 

In brief, the eight conditions for lawful processing are:

  1. Accountability: You must ensure POPIA compliance in respect of all the personal information in your control.
  2. Lawfulness: You must only collect personal information if it is adequate and non-excessive. You must have a legally justifiable reason for collecting personal information. Where possible, you must collect personal information directly from the data subject.
  3. Purpose specification: You must only collect personal information for a specific purpose, and you must not store it for longer than necessary to meet that purpose.
  4. Further processing limitation: You may only process personal information for further purposes if they are compatible with the reason you collected it.
  5. Information quality: You must ensure the personal information you maintain is accurate and complete.
  6. Openness: You must be transparent about how you provide personal information and provide consumers with notice about how and why you process their personal information.
  7. Security safeguards: You must take reasonable steps to secure the personal information in your control, and you must report any data breaches as soon as reasonably possible.
  8. Data subject participation: You must allow data subjects to access their personal information and correct or erase any inaccurate personal information.

But, there are additional requirements for particularly sensitive information.

What types of information are considered “special” under the POPIA?

Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include:

  • Religious or philosophical beliefs 
  • Race or ethnic origin 
  • Trade union membership 
  • Political persuasion 
  • Health or sex life 
  • Biometric information
  • Information about criminal behavior, including:
    • Alleged offenses that have been committed by the individual
    • Proceedings that may have taken place regarding the alleged offenses

Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds:

  • With the consent of the data subject
  • To exercise or defend your legal rights or obligations
  • To comply with an obligation under international public law
  • For historical, statistical, or research purposes in the public interest
  • Where the information has been made public by the data subject
  • Compliance Tip

    When conducting your audit ahead of July 1, 2021, make sure you classify data correctly and set-up specific processes and security measures to safeguard this special personal information”.

How can cybersecurity help me stay compliant with the POPIA?

We know what you’re thinking: what steps can I actually take to ensure every individual, team, and department across my organization safely processes data?

Like other compliance standards, the POPIA mandates appropriate, reasonable technical and organizational measures to prevent the loss of, damage to, and unauthorized access to personal information.

The POPIA sets out four broad ways in which responsible parties must secure personal information:

  1. Identify internal and external risks
  2. Establish and maintain safeguards
  3. Regularly verify safeguards
  4. Continually update safeguards

The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information.

There’s a lot to unpack here. But, it all comes down to data loss prevention (DLP). While you can read all about DLP in this article: What is Data Loss Prevention – A Complete Guide to DLP, we’ll outline the different “types” of DLP below.

Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different DLP solutions operate in different ways depending on which “perimeter” is being guarded.

Network DLP

Network DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution. 

Endpoint DLP

Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer. 

It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB.

Email DLP

Email is the threat vector security and IT leaders are most concerned about, Why? Because both inbound and outbound traffic pose serious security threats.  According to data from Verizon, email is the main entry point for social engineering attacks like phishing and incidents involving Insider Threats have increased by 47% over the last two years.

And, we can’t forget about accidental data loss – like misdirected emails – which is actually the most frequently reported security incident under the GDPR.

Learn more about how Tessian detects and prevents both inbound and outbound threats on email to help organizations around the world stay compliant. 

But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities? 

  • Encouraging the organization to comply with the conditions for lawful processing
  • Assisting data subjects with requests to access their personal information
  • Working with the Information Regulator in the event of an investigation
  • Otherwise ensuring that the organization complies with the POPIA

Once you have appointed your Information Officer, you must register them with the Information Regulator.

But, what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You have to notify relevant bodies.

“Investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.”

What do I do in the event of a breach?

If personal information is subject to unauthorized access, (i.e., a data breach occurs), responsible parties must notify:

  • The Information Regulator, and
  • The affected data subjects 

Importantly, this must happen as soon as reasonably possible and should include:

  1. A description of the consequences of the breach
  2. An explanation of what the responsible party has done to contain the breach
  3. Advice to the data subjects regarding how to mitigate the impact of the breach
  4. The identity of anyone who may have accessed the personal information (if known)

This is a lot of work and one of the reasons why investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $3.92 million on average according to IBM’s latest Cost of a Data Breach Report.

What are the penalties under the POPIA?

Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including:

  • A fine of between 1 million and 10 million ZAR (approximately $60,000 – $600,000 USD)
  • Imprisonment for a term of up to ten years
  • Both a fine and a prison term

The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to:

  • “Actual damages,” to compensate data subjects for any losses they have incurred
  • “Aggravated damages,” to compensate data subjects for the distress they have experienced

Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator.

For more information about how much business’ have been fined under other data protection laws, check out this article: 4 Biggest GDPR Fines of 2020 (So Far).

If you take nothing else away from this article, it should be that compliance and security go hand-in-hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy.

Wondering what’s top-of-mind for other security leaders when it comes to DLP? Download the report below.