South Africa’s Protection of Personal Information Act gives individuals more control over how their personal information is collected, processed, and used by private and public bodies. The Act requires such bodies (AKA responsible parties) to meet several minimum requirements for the lawful processing of data – and the grace period is almost over. From 1 July 2021, SA organisations must be compliant. Are you ready? Ask your leadership team these five questions to check that key areas of accountability have been addressed…
As a responsible party, you are required to register your Information Officer with the Information Regulator by 1 July 2021.
You can do this online via the Information Officer Registration Portal on the Information Regulator’s website, where electronic and PDF versions of the registration form are available. The portal also contains relevant documentation, including guidance notes, official notices, and policies.
Remember, your Information Officer (IO) is the person responsible for making sure your organisation adheres to POPIA. They need to encourage and ensure your organisation’s compliance with POPIA, deal with any information access requests pursuant to the legislation, and work with the Information Regulator in relation to any investigations conducted in terms of POPIA.
They also need to see to it that an organisational compliance framework is developed, implemented, monitored and maintained, and that internal awareness sessions are conducted regarding the provisions of the Act, among other duties. The IO’s responsibilities are listed in Section 55 of POPIA and in the POPIA Regulations.
As a responsible party, you are required to secure the integrity and confidentiality of personal information in your possession or under your control.
According to Section 19 of POPIA, this includes the implementation of “appropriate, reasonable technical and organisational measures” to prevent loss of, damage to, or unauthorised destruction of personal information.
Whether you manage personal data on paper or online, POPIA calls for you to identify all reasonably foreseeable internal and external risks to the data; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks.
In addition, POPIA decrees that you must have “due regard to generally accepted information security practices and procedures” which may apply to you generally, or which may be required in terms of specific industry or professional regulations (e.g., hospitals are expected to have strict security measures in place to protect the detailed, sensitive medical records of their patients).
As a responsible party, you are required to report security compromises to the Information Regulator and the data subject(s) involved as soon as reasonably possible.
Section 22 of POPIA describes the obligations of the responsible party when there are “reasonable grounds” to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.
You should have a comprehensive incident response plan on hand to guide your actions in the event of a data breach, data leak, or cybersecurity incident. Make sure that your IO and key members of your leadership team follow a systematic process to identify the incident, respond appropriately, escalate where necessary, and communicate clearly in line with POPIA’s stipulations.
If you fail to notify data subjects in such circumstances, you could face imprisonment, fines, or both. Remember, you must notify affected parties in writing as soon as reasonably possible after the discovery of a security compromise.
As a responsible party, you should ensure that your employees are educated about basic information security protocols and procedures.
From your Human Resources Department, which handles sensitive staff info, to your employees themselves, who may manage personal data from customers, suppliers, and service providers, your teams have to deal with personal information on a regular basis.
Make sure everyone in your organisation is familiar with POPIA’s requirements – and that individual staff members, line managers, and department heads understand their duties and responsibilities when it comes to data processing, data management, and data security.
Educate your personnel about the collection, use, and storage of personal information under POPIA, and remember that they may need specialised training for new systems and new productivity tools deployed now, or in the future.
As a responsible party, you could face hefty fines or imprisonment if you’re found to be in contravention of the law.
There are civil and criminal consequences for non-compliance with POPIA. Section 99 of the Act describes how a data subject (or the Information Regulator, at the request of a data subject) may institute civil action against a responsible party for breach of POPIA.
Offences, penalties, and administrative fines are outlined in Chapter 11 of the legislation. If you are convicted of an offence in terms of POPIA, you could be fined up to R10-million, or imprisoned for up to 10 years.
Non-compliance also poses a risk to your reputation: public trust in your organisation could be eroded overnight if you suffer a data breach, and serious brand damage could cripple your business irrevocably.
The BUI Cyber Security Operations Center is the first of its kind in Africa. Take a look inside to see how our security experts protect and defend critical data 365 days a year.
Or contact our team directly to learn more about next-generation security solutions to safeguard your personal information, customer files, and business resources.
With only five months until the grace period for POPIA compliance comes to an end, our Chief Technology Officer Willem Malan, Cloud Security Architect Neil du Plessis, and Modern Workplace Architect Pieter Neethling explore the challenges before South African organisations, and the technological solutions available to address them.
South Africa’s Protection of Personal Information Act (POPIA) is designed to ensure that private, public, and governmental organisations behave lawfully and responsibly when processing personal information. Signed into law on 19 November 2013 by then-president Jacob Zuma, and gazetted on 26 November 2013, POPIA is a key piece of privacy legislation.
Certain sections of the Act became effective on 11 April 2014, and last year, President Cyril Ramaphosa announced commencement dates for the others. There is a 12-month grace period for compliance with the sections of POPIA that commenced on 1 July 2020, meaning organisations have until 30 June 2021 to put the appropriate measures in place.
“Right now, POPIA compliance should be at the top of the to-do list for every business,” says Willem Malan, our Chief Technology Officer. “And it’s absolutely critical if you haven’t yet begun, because the journey towards compliance is not simply a box-ticking exercise. POPIA requires a fundamental shift in terms of how you deal with personal information, and for many enterprises, that will involve a deep dive into their methods of gathering, processing, and safeguarding data,” he explains.
By October 2020, around 30% of South African organisations considered themselves well-prepared to meet their compliance obligations under POPIA, according to a local survey. Simultaneously, 39% said they were partly ready, while 14% had only just started planning, and 8% had not conducted any preparations at all. The disparity is striking, but perhaps not surprising, observes Malan. “For years, there’s been a general awareness about POPIA. It certainly has been one of the most talked-about governance issues in the corporate sphere. But there’s a gulf between acknowledgement and action, and I think that has been a stumbling block for business teams.”
Without prescriptive guidance from the Information Regulator, stakeholders have had to figure out their own POPIA road maps, continues Malan. “They’ve had to get to grips with the law and its specific requirements, before crafting their compliance strategies. That was a significant challenge prior to the coronavirus pandemic, given the time and resources needed. And it’s an even more daunting task now, when organisations are recovering from the impact of the COVID-19 lockdowns, and recalibrating for the new world of work. Considering the extraordinary circumstances of 2020, it’s no wonder only about a third of businesses felt on track to achieve POPIA readiness in time,” he adds.
Neil du Plessis, our Cloud Security Architect, notes that POPIA’s incremental rollout may have dampened the sense of urgency initially seen in boardrooms. “When the Act was promulgated in 2013, it was a wake-up call for everyone. Conversations quickly turned towards compliance, and organisations began to formulate their policies and procedures. But as the years went by without official time frames for POPIA implementation, there seemed to be a loss of momentum at the corporate level. In the absence of concrete deadlines, the impetus for swift, comprehensive action appeared to fade. And now, many businesses are under pressure to expedite their POPIA programmes to meet the mid-year target.”
As the countdown intensifies, organisations also have to make sure that the compliance process is driven forward successfully. POPIA’s diverse requirements necessitate a multi-disciplinary approach, says Du Plessis. “From technical controls to record-keeping measures, the Act outlines parameters for lawful data-handling. Compliance, however, is not exclusively an IT issue or a human resources issue to address, and it cannot be delegated to a single department. POPIA has business-wide implications, and the business response should reflect that,” he says.
Malan agrees. “Data protection is a critical obligation, and businesses cannot outsource their accountability. They are responsible for their own compliance. And they have to answer for how they collect and use personal information. It’s important to look at the enterprise holistically, and to plan and monitor efforts in line with POPIA. It also makes sense to leverage available technology to streamline the process,” he says.
Microsoft Compliance Manager, a relatively new feature in the Microsoft 365 compliance centre, is already being embraced by BUI customers. “It’s such an intuitive, user-friendly platform,” remarks Pieter Neethling, our Modern Workplace Architect. With pre-built assessments for common information security standards like ISO 27001:2013 and custom assessments for POPIA and similar laws, it’s simpler to benchmark and monitor compliance status, as far as it relates to the use of Microsoft cloud services on Microsoft 365 or Azure Active Directory.
“With Compliance Manager’s centralised dashboard, you can perform real-time assessments of your estate, and get the detailed insights you need to strengthen your compliance capabilities,” continues Neethling. “That level of visibility – combined with step-by-step guidance to address shortcomings, and tools to record and track progress – makes Compliance Manager a robust solution for customers,” he says.
The platform also serves as an evidence repository for supporting documentation, and enables project teams to organise and unify their compliance initiatives. “You can drill down to view and manage individual tasks, evaluate progress, generate audit-ready status reports, and understand your overall compliance posture at a glance. The functionality is right there, at your fingertips,” explains Neethling.
Du Plessis adds that Compliance Manager brings order and scalability to organisational compliance efforts. “It can be overwhelming when you’re confronted with large environments of users, devices, and applications to assess, but Compliance Manager removes the burden by categorising and prioritising required actions. The assessments can be mapped and scaled for your particular business needs to help you manage compliance proactively and efficiently,” he says.
The Protection of Personal Information Act is clear about the costs of non-compliance: fines of up to R10-million. While the financial penalties are substantial, Malan believes there’s a greater cost for businesses that fail to comply with POPIA. “Organisations that do not take data privacy and data security seriously tend to suffer the consequences, sooner or later,” he argues. “And those consequences are usually very public and very damaging – sometimes irreparably so. In many cases, the cost of compliance paled in comparison to the cost of the resultant business disruption and reputational harm.”
Making sure that your enterprise is POPIA compliant is not only good business practice, but good for business too, continues Malan. “If you haven’t yet focused on your POPIA journey, then now’s the time to put in the necessary attention and effort. Now’s the time to get your internal systems, policies, and processes organised. Because as soon as you have that framework in place, you can concentrate on implementing the technological controls. And that’s fairly straightforward to accomplish, with practical help from a trusted partner,” he concludes.
From improving cybersecurity to enabling collaboration and migrating to the cloud, we’ve helped customers make the most of technology.
Let’s talk about customised solutions to help you solve your POPIA compliance challenges more efficiently. Contact us today.