The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. The main purpose of POPIA is to protect people from harm by protecting their personal information. For example, the Act aims to protect people from having their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right entrenched in our Constitution.
The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. The main purpose of POPIA is to protect people from harm by protecting their personal information.
For example, the Act aims to protect people from having their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right entrenched in our Constitution.
Principle-based
The objectives of POPIA are to:
- promote the protection of personal information processed by public and private bodies;
- introduce certain conditions so as to establish minimum requirements for the processing of personal information;
- provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of POPIA and the Promotion of Access to Information Act;
- provide for the issuing of codes of conduct;
- provide for the rights of persons regarding unsolicited electronic communications and automated decision making; and
- regulate the flow of personal information across the borders of the Republic.
POPIA impacts any natural or juristic person who processes personal information. A juristic person can include large corporates, government, a partnership, association, trust, body corporate, company, or close corporation.
Any organisation that processes a lot of personal data. This could be an organisation in the public or private sector (like a bank or medical aid). The industries that are most affected are financial services, insurance, healthcare, retail (including online shopping sites),marketing (including direct marketing), banking, credit providers, medical aids, business process outsourcing, and telecommunications are some of the organisations on which data protection law has a high impact.
Condition 7 Security Safeguards
POPIA requires a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical, and organisational measures to prevent—
- loss of, damage to, or unauthorised destruction of personal information; and
- unlawful access to, or processing of personal information.
To demonstrate compliance with this provision, the responsible party must put measures in place to—
- identify any possible internal and external risks to personal information in its possession or under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it. (See Section 19, Section 20, Section 21, and Section 22)
A responsible party who does not comply with POPIA may face two penalties:
- A fine or imprisonment of between R1 million and R10 million or one to ten years in jail;
- Paying compensation to data subjects for the damage they have suffered.
Your business could suffer other consequences as a result of non-compliance with POPIA. These consequences could potentially have a devastating impact on your business even though they are not monetary in nature. For example:
- Your business and your brand could suffer from irreparable reputational damage;
- You could lose valuable customers because they no longer trust your brand;
- You may not be able to attract new customers.
If your organisation is a victim of a data breach or security compromise, the Information Regulator will ask you for information about the incident. In particular, the Regulator will ask you what measures you put in place to secure personal information and protect it from a security compromise.
As POPIA is a principle-based law, by implementing our products you can easily demonstrate to the Regulator the controls, measures, and procedures you put in place to achieve the outcomes set out under Condition 7, Security Safeguards.
Obtaining a CyberProfiler scan and implementing the remediation recommendations provided in its report can help your organisation by:
- identifying potential risks;
- implementing recommended solutions and safeguards;
- running subsequent vulnerability scans periodically for new risks; and
- ensuring that the safeguards are effectively implemented.
Implementing DMARC on your company’s email domain helps your organisation to:
- identify the potential risks of Email Spoofing;
- implement the recommended solutions and safeguards properly and effectively; and
- actively monitor your email system for new risks.
- Link to the Act in the form of a website: popia.co.za
- POPI Regulations in South Africa explained: Michalsons Blog
- For more information about POPIA offenses, penalties and administrative fines: Michalsons Blog