Close this search box.

SA’s POPI Act, the EU’s GDPR and your business

South Africa’s Protection of Personal Information Act and the European Union’s General Data Protection Regulation have widespread implications for businesses. Are you prepared?

Data privacy and data security are firmly in the spotlight after headline-making incidents around the globe in 2018..

On June 14, Liberty Holdings was targeted by cybercriminals, who breached the group’s IT systems. The hackers claimed to have stolen 40 terabytes of data.

On July 11, Facebook was fined 500 000 pounds (about R9-million) in connection with the Cambridge Analytica scandal. The social media giant failed to protect its users’ information, according to Britain’s data watchdog.

In an increasingly digital environment, cybercrime is an evolving threat. Across the world, governments, economic associations and political groups have implemented legal structures to regulate the information-powered international ecosystem.

If you’re a South African business owner, then you need to understand the directives of SA’s Protection of Personal Information Act as well as the European Union’s General Data Protection Regulation.

What is South Africa’s Protection of Personal Information Act?

The POPI Act (also known as POPIA) was signed into law by President Jacob Zuma on November 19, 2013, and published in the Government Gazette a week later on November 26, 2013.

The legislation is designed to ensure that private, public and governmental organisations behave responsibly when managing the personal information of both “natural persons” (individuals) and “legally recognised entities” (like companies).

The key purposes of the POPI Act (as decreed) are:

  • To give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party.
  • To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information.
  • To provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.
  • To establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfill the rights protected by this Act.

When will the POPI Act be implemented?

Certain sections of the POPI Act became effective on April 11, 2014, and address the appointment of South Africa’s Information Regulator.

The government has yet to announce the commencement date for the remaining provisions of the law, but is expected to do so later in 2018.

There will be a grace period of 12 months from the date of commencement for organisations to comply with the POPI Act.

You can find the full text of the Protection of Personal Information Act on the Justice Department’s website.

You can also download our infographic – 10 Things To Know About South Africa’s Protection of Personal Information Act – to print and keep, absolutely free.

Who is bound by the POPI Act?

All organisations that collect, process, store or share personal information must abide by the rules and regulations of the Act.

Comprehensive data privacy and data security initiatives will need to be implemented so that the technology, systems and processes used for information-gathering and information management comply with the law.

Broadly speaking, the POPI Act sets certain conditions for the acquisition, storage and management of personal details so that individuals (and legally recognised entities) know what is being done with their data. The law also defines the obligations and responsibilities related to information management, including quality control and security.

How is compliance achieved?

Accountability and transparency are core elements of the POPI Act. When the law comes into full force, organisations will have a brief window of opportunity to sort out their affairs. After that, non-compliance is likely to result in a financial penalty and/or imprisonment.

Conducting an in-depth evaluation of your business processes will help you to identify potential problem areas:

  • Audit your entire operation to determine when, where and how personal information is handled.
  • Formulate new protocols and implement checks and balances to ensure compliance.
  • Educate your staff to create an organisation-wide culture of responsibility.

South Africa’s Protection of Personal Information Act is expected to have a dramatic impact on the local business landscape, much like the General Data Protection Regulation has done in the European Union.

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR, or EU Regulation 2016/679) is a sweeping data-protection law that was approved by the European Union in April 2016.

The legislation addresses the privacy rights of internet users and imposes limitations on the processing of their online data, including email addresses and social media posts.

When will the GDPR be implemented?

The GDPR is already in effect.

Full enforcement began on May 25, 2018.

Did you receive a flood of “Privacy Policy” notices in your inbox around that time? You weren’t the only one. As the two-year GDPR grace period drew to an end, there was a flurry of compliance activity across the world.

Which countries are affected by the GDPR?

Although it was implemented by the EU, and is primarily concerned with data regulation in European countries, the GDPR has global implications.

Because the internet has revolutionised the way the world does business, it’s possible for a South African company to have customers living in France or Italy. It’s also possible for a South African company to have European customers residing within SA’s borders. In both cases, the GDPR applies, because EU citizens are involved.

If you provide products or services to EU citizens, and process their data in order to do so, then you need to adhere to the GDPR – no matter where you are based.

What happens if businesses don’t comply with the GDPR?

From official reprimands to financial penalties, the consequences of non-compliance are severe. Potential administrative fines can reach 20 million euros. The effects of the European Union’s General Data Protection Regulation are already being felt. The full impact of South Africa’s Protection of Personal Information Act has yet to be seen. Preparation is your best course of action.

2018 Palo Alto NSS Advanced Endpoint Protection

100% Exploits and Evasions Blocked and Zero False Positives

Palo Alto Networks are bursting with excitement with the latest NSS Labs testing results and recommendation for Advanced Endpoint Protection. They are in the top right hand corner, with “100% Exploits and Evasions Blocked and Zero False Positives”. Lowest TCO of all AV vendors tested…

A few highlights include

  • Traps earned a “Recommended” rating in this test – the highest rating NSS offers;
  • Traps had a 97.6% security effectiveness score;
  • Traps had a 100% block rate for exploits and evasions;
  • Traps had zero (0) false positives;
  • Traps has the lowest total cost of ownership (TCO) among all 20 vendors tested.

The test validates the power of Traps and the efficacy of its prevention-first approach.

Read the full report for details.

BUI And Living Tech

About the integration

So what’s the story

BUI and Living Tech are taking the next step in our integration. The journey started in March 2014 and over the years we have integrated back office operations, finance and relocated to a single, larger BUI office in the Cape Town foreshore.

Our next step is to broaden the services we deliver to our customers and put the BUI identity at the forefront of our engagement with customers. This enables us to reposition the Living Tech branding to specific managed services offering while delivering new services to the managed services customer base. During this transition the familiar Living Tech branding will be replaced by BUI branding while continuing to deliver on the commitment of being “the Perfect IT Partner for your Business”.

Below are some FAQ’s relating to this journey.


What is changing with the branding change to BUI?

During the final phase of the integration with BUI we are making branding changes to our website, email, telephone and social media:

  • Existing website will redirect to the BUI website
  • All staff email addresses will change to Existing email addresses will continue to work indefinitely.
  • The Cape Town telephone number will remain 021 551 6441. New voice prompts and on hold music will be used.
  • Our social media presence will be on @BUIza for Facebook, Twitter and LinkedIn.

Will anything else change? What about the staff and services offered?

Good news! The teams are staying the same. Our focus is on branding during this final phase of integration. All staff have already been transitioned to BUI during the past 24 months. We are continuing to deliver the same services to customers – with a focus on new, and improved services to come.

Accounts and Billing Questions

Has your banking information changed?

No – we repeat – no changes have been made to our bank account details and we are not communicating any changes to banking information. We are aware of the certain scams to trick customers into paying into fraudulent bank accounts. Should you receive communication that appears to be from BUI / Living Tech requesting changes to payment information please disregard this and contact us telephonically to follow up.

Has the company registration details changed?

No – company registration details have been in place for the past 12+ months. The correct information is reflected on your tax invoice and statement.

Additional Questions

What if I have additional questions?

You can ask questions anytime! You can email us on support@ or call us on 021 551 6441.

Support email address.

The address will still work, but your reply’s will come from which will be the new support email address.

Did I Just Socially Engineer My Own Identity Theft?

Social engineering is the use of deception to get people to divulge confidential information. On an individual scale, it can be something as simple as disclosing the personal identification number for your bank card, enabling someone to illegally access your funds. On a corporate scale, it can entail the leaking of thousands of people’s confidential information including user names, passwords, identity numbers, etc.

BUI MD Ryan Roseveare says: “Although this type of social engineering can affect the general public and put them at risk of inadvertently exposing confidential information, the biggest threat is to corporates who hold massive amounts of personal data about their customers and their staff. All too often data loss in the corporate environment is simply the result of negligent behaviour by uneducated users who do something as basic as clicking on a malware-infected e-mail.”

According to Roseveare, a big threat to business is where private negligence can cause corporate issues, meaning when people use private devices on their own Internet and for private use. “They don’t even access company resources remotely but then they access applications, or they want to register for the likes of Facebook, and they use their company details (such as their e-mail address) and all too often they also use their work password to register. Hackers then get into the databases for sites such as Facebook, LinkedIn or even Ashley Madison, obtain those credentials and use them for external attacks.”

There have been several well publicised incidents of cyber crime recently, underscoring the need for businesses of all sizes to be vigilant about online security.

How did it happen?

Well, there are several ways in which people can be persuaded into sharing information that they wouldn’t ordinarily disclose. We all know not to click on links in e-mails or to open attachments from unknown sources, but what about that phone call from the bank or your cellular provider asking you to confirm your personal details?

However, not all identity thefts are that simple. In September this year, a US credit reference agency reported a hack that affected the data including credit card details of up to 143 million people. The implications of such a large-scale attack are widespread, including the damage caused to that company’s brand and reputation. It’s believed that the hack took place through a third party company that did business with the credit reference agency.

The right thing to do

What do you do if your customers’ personal data is exposed? Well, the most important thing is to establish exactly what confidential information was stolen. Then you need to let the affected people know immediately, says Roseveare, so that they can notify their financial institutions if their banking information has been breached.

Prevention is better than cure

Naturally, prevention is the preferred route, and there are several measures that businesses can take to identify potential breaches before they can happen. However, says Roseveare, much as in other remedial programmes, the first step is admitting that you may have a problem or, in this case that your system is indeed vulnerable to attack.

It’s important to note that the increasingly mobile workforce and the associated trend towards BYOD (bring your own device) make the job of safeguarding your company’s data that much more difficult. Roseveare breaks it down into three areas: “You need to protect the device, you need to protect the data, and you need to protect the access.

Measures that you could and should implement include multi-factor authentication instead of just a single password when accessing certain types of data, says Roseveare. So a combination of fingerprint, PIN, strong password, even iris scanning or facial recognition can be used to ensure that only authorised users can access certain applications and information.

While firewalls and anti-virus software certainly play integral roles in data security, these are powerless against the hapless individual who opens an e-mail that appears to come from a trusted source.

It may seem obvious, but educating your workforce and other users around the risks inherent in clicking on a link or attachment in an e-mail from someone that they don’t know, is one of the most basic things that you can do to protect your personal data.

Roseveare concludes by saying: “If the information above has sparked a fear that your business could well be vulnerable to attack, then we’ve achieved what we set out to do. A little healthy fear can save your business and your identity from malicious attacks of this nature.”

Ransomware: Are You The Problem?

Businesses around the world were brought to a standstill in mid-May by the WannaCry ransomware attack. But were the affected organisations indeed victims of the ransomware, or of their own inefficiencies?

Ryan Roseveare, MD at BUI, believes the latter. He says, “IT and security professionals at affected companies have to ask themselves some tough questions. How long did it take before you became aware of the problem? Were you notified on the Friday that the attack happened? If you’re a security professional, did you know about the attack as it was in progress, or did you only find out when you arrived at work on Monday morning? What did you do in response to the attack? Did you immediately buy a piece of software to fix the problem? How many e-mails did you receive from vendors trying to sell you products after the fact, or even days later?”

The answers to these questions will define whether you have an effective security response programme in place or not.

Roseveare continues: “If you reflexively bought software, in this case you wasted your money. In fact, businesses didn’t need to spend a single cent to mitigate the WannaCry attack. The bottom line is that if your business was affected by this ransomware, your IT department or security professional either in house or outsourced didn’t do their job.

“In fact, I’d go so far as to say that if your IT security provider didn’t inform you about the WannaCry attack on the Friday as it happened, you need to look at another provider. If they sent you an e-mail marketing a product after the fact, then you need to think twice about their motivation.”

Roseveare believes that if businesses were caught out by this particular ransomware, it was entirely self-inflicted. He says, “If your IT department had been proactive and initiated a standard response process and an effective patch management and update programme, WannaCry wouldn’t have even featured on your radar. If your response was to buy software to protect yourself going forward, you’ve probably wasted your money. In fact, we’re seeing a rise of what we refer to as Ransomware as a Service –  vendors are using ransomware as a marketing vehicle to sell a product. They’re capitalising on an incident that doesn’t actually require you to buy anything, to sell you stuff you probably don’t need.

“A proper security advisor would have told you about the ransomware attack on the afternoon that it happened. If you only found out on Monday about this attack or that your business was affected, then that was far too late you did not do your job and perhaps some introspection is needed.”

Businesses must examine their security response processes in terms of how they managed the attacks. Roseveare explains: “You need to interrogate whether all of your systems could be affected all the time, in this case did you communicate to everyone in your organisation over the weekend to explain what had happened and what they should do about it? Or did you come in on Monday morning, get an e-mail from a vendor and buy some software you didn’t need?

If we look at the timeline below, businesses should have had at least three months to prepare for this particular attack. If you still got caught, then it’s time to reassess your practices and your providers.”

WannaCry timeline

  • 16 January – US-CERT issues advisory on new SMB vulnerability.
  • 10 February – First infection of WannaCry.
  • 14 March – Microsoft releases patch for CVE-2017-0144.
  • 27 March – Second wave of attacks.
  • 14 April – Shadow Brokers releases EternalBlue exploit code.
  • 10 May – CVE-2017-0144 exploit is added to Exploit.DB.
  • 12 May – New wave of WannaCry attacks begins, using EternalBlue exploit to spread.
  • 12 May – Microsoft releases CVE-2017-0144 patch for Windows XP.
  • 12 May – Kill switch domain #1 is sinkholed.
  • 13 May  – A new version of WanaCry surfaces.
  • 14 May – Kill switch domain #2 is sinkholed.
  • 17 May – Notice displayed on infected computers claiming files will be decrypted if ransom is paid.

Roseveare concludes by issuing a warning: “We know that this is going to happen again, WannaCry wasn’t the last ransomware attack, it certainly wasn’t the first one, just this week there has been another outbreak and they are going to continue for the foreseeable future.

“What are you doing to protect your business? Or have you become complacent because you bought something? My recommendation is that you adopt a proactive approach, re-evaluate your policies and responses, re-evaluate your vendors!”

Security As A Service

Today’s IT environment is becoming increasingly complex, with computing assets spanning from on-premises legacy solutions to advanced workloads running as a service in the cloud. The challenge is securing the enterprise without impacting the business’s ability to operate, allowing the ever-increasing demand on mobility to be safe, secure and agile.

Ryan Roseveare, MD of BUI, says: “We’re seeing an escalating number of breaches, both local and international, so concerns around cloud security and identity are very valid and a top priority for all of our customers.”

As breaches, ransomware and modern cyber crimes become the new normal, the cost of security platforms to business is spiralling. According to Microsoft’s 2016 Trends in Cyber Security:

* More than 6 000 vulnerabilities are disclosed per year across the industry.
* 41.8% of all vulnerability disclosures are rated as highly severe – a three-year high.
* The encounter rate for consumer computers was about 2.2 times as high as the rate for enterprise computers (domain joined).

“In South Africa, organisations entering the cloud face the additional concern that their data will be hosted internationally, so the security aspect is very much top of mind for the local CIO considering taking his business into the cloud,” says Roseveare. “As a result, over the past couple of years we’ve seen an increase in the number of companies undergoing the cloud security journey, especially in South Africa where we don’t have any big data centres just yet. We’re having this conversation on a daily basis with businesses that are nervous to ship their data off overseas. They want to make sure it’s secure.”

“Other concerns that we’re seeing revolve around data sovereignty, businesses want to know whether other governments see their data. The perception is that the minute the data leaves South Africa’s borders, we lose control over what happens to it,” says Roseveare.

So South African organisations are caught in a quandary between migrating to the cloud – a non-negotiable for survival and growth – and keeping their data secure while complying with complex local and possibly international regulations. Roseveare says: “When you move your organisation to cloud services, you must be able to trust your service provider with your most important, sensitive and confidential data. Look for someone who focuses on building secure solutions that deliver value to customers, partners, and shareholders alike – both in the cloud and on-premises.”

What makes a good cloud partner from a security perspective? Well for one thing, explains Roseveare, they must address all areas of security, from identity and access to network security, data protection and data privacy. It’s also important that the provider be able to offer a holistic integrated security service as opposed to stand-alone products. Clients who have legislative or compliance requirements around their data, should also request extensive privacy controls and visibility into where their data resides and who has access to it, as well as whether the data is hosted in a single data centre or across more than one, so that should that data centre cease functioning for some reason, the data is still available. Customers with data sovereignty and compliance concerns will be glad to know that two hyper scale data centres are being developed in South Africa in 2018.

“There are three aspects to cloud security,” says Roseveare. “You want to secure your users’ identities, you want to protect your infrastructure and you want to ensure that apps and data are kept safe.”

User identity and customer data must be secured by means of enterprise grade multifactor authentication and information protection, so the use of biometric access controls such as retina or fingerprint scanning, as well as identifying the user’s location, can ensure that only legitimate users can access your data or applications.

Infrastructure management includes protecting mobile users, identifying potential threats and managing security incidents from detection to post-event analysis. The emphasis is on early detection, remediation and notification, which are key aspects of defending against security threats.

The bottom line, concludes Roseveare, is that whether the threat comes from inside your own organisation or from outside forces, you need to know that your organisation’s data is protected, regardless of where it resides.

BUI named 2017 Microsoft Country Partner of the YearBUI recognized as 2017 Microsoft Country Partner of the Year for South Africa

BUI today proudly announced it has won the 2017 Microsoft Country Partner of the Year Award for South Africa. The company was honored among a global field of top Microsoft partners for demonstrating excellence in innovation and implementation of customer solutions based on Microsoft technology.

Awards were presented in several categories, with winners chosen from a set of more than 2,800 entrants from 115 countries worldwide. BUI was recognized for providing outstanding solutions and services, as well as representing excellent subsidiary engagement in South Africa.

The Microsoft Country Partner of the Year Awards honor partners at the country level that have demonstrated business excellence in delivering Microsoft solutions to multiple customers over the past year. This award recognizes BUI as succeeding in effective engagement with its local Microsoft office while showcasing innovation and business impact, driving customer satisfaction, and winning new customers.

“We are honored to recognize BUI of South Africa as a Microsoft Country Partner of the Year,” said Ron Huddleston, corporate vice president, One Commercial Partner, Microsoft Corp. “BUI is a prime example of the expertise and innovation we see in our Microsoft partner community to deliver transformative solutions.”

The Microsoft Partner of the Year Awards recognize Microsoft partners that have developed and delivered exceptional Microsoft-based solutions over the past year.

Ascent Technology And BUI Partner To Drive Digital Industrial Transformation

Ascent Technology and BUI today announced a strategic partnership to help their respective clients create new value with Microsoft Cloud Solutions.

Clients will benefit from the unique combination of BUI’s in-depth and Security Focused Microsoft Azure Consulting practice and Ascent’s deep domain knowledge and extensive portfolio around Microsoft Data Platform Solutions. The two partners are committed to empowering digital transformation at their clients. By selecting Microsoft Azure as the Cloud for this collaboration, both BUI and Ascent’s clients will now have access to an enterprise-grade cloud Infrastructure that benefits from billions of dollars of ongoing investment.

“Together with Ascent, we are providing our clients with the digital technology and cloud platform to allow our clients to extend, migrate and operate their systems in a secure and scalable manor,” – Ryan Roseveare, Managing Director at BUI.

“The partnership announced today, combines Ascent’s portfolio of Database and Business Intelligence (BI), Solutions and Services, together with BUI’s market leading Technology Solutions to the benefit of our joined client base and the broader market,” – Johan Lamberts, Managing Director at Ascent Technology.

Together, Ascent and BUI will accelerate digital solutions that improve clients’ Productivity with Increased Uptime, Disaster Recovery, Database Infrastructure and Data Analysis Solutions. As BUI has standardised its offerings on Microsoft Azure, and expands its leadership in this area both companies will take full advantage of Azure Services to offer clients an end-to-end solution.

BUI and Ascent have a long history of successful collaboration, and have delivered transformational end-to-end solutions across several clients in the past.

About Ascent Technology

Ascent Technology, one of Microsoft’s unique, award-winning and successful partners in the Data Platform Competency, has been delivering value added solutions to its ever-growing outsourced client base since 2003.

Furthermore, Ascent has been particularly successful at creating value for its client base through making sure that new technologies are implemented and unlocked, therefore enabling their clients to react fast and effectively to their ever-changing market conditions.