The Protection of Personal Information Act is South Africa’s data privacy law.
1. What is POPIA?
The Protection of Personal Information Act is South Africa’s data privacy law. Most sections of the act have been law since July 1 2020 - but compliance is not mandatory until June 30 2021.
2. Who does POPIA apply to?
Organizations either based in SA or who process personal data within the country. To determine this, you should consider the whereabouts of on-prem data centers and cloud-based deployments. Both AWS and Microsoft Azure now have cloud regions in SA.
3. Why was this legislation drawn up?
To protect people from the harm they may suffer should their personal information be abused. Data protection laws that meet the standard of those adopted by other nations are also necessary for SA to trade globally.
4. Who has the power to enforce POPIA?
South Africa’s new regulatory authority – the Information Regulator.
5. Who and what is protected under the term personal data?
POPIA covers information belonging to partners, suppliers and vendors, as well as individuals.
There are nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correction and right to deletion.
A separate subcategory of more sensitive personal data, relating to race, ethnic origin, sexual orientation and political persuasion among others, is subject to stricter requirements.
POPIA also goes a step further than other data privacy laws by protecting anyone whose personal data is processed within South African territory or by a South African undertaking – regardless of the individual’s nationality.
6. Who is responsible for ensuring an organisation is compliant?
The head of an organisation is automatically the Information Officer, who must in turn appoint one or more deputies. Their details must be logged with the Information Regulator by March 3 2021
7. What penalties are there?
8. What benefits for an organisation are there?
POPIA compliance demonstrates to clients, suppliers, employees and other associates that:
9. What is required to ensure compliance when collecting data?
Prior consent of end users before processing personal information. You must be up front about:
The most practical way to do this is to incorporate it into your online privacy policy.
10. What is required to ensure compliance when processing data?
Organisations must satisfy requirements for data security, data transfer and rights of access. Technical and organisational measures must be implemented to keep personal information secure against the risk of loss, damage, unauthorised access, interference, modification, destruction, and disclosure.
11. How does the POPIA affect an organisation’s data security requirements?
The POPIA demands the implementation of appropriate technical and organizational measures to protect personal data in your possession.
Providing you give due regard to generally accepted security practices and procedures, this means you can tailor security measures to the nature of the personal data you process, impact level of a potential breach and cost of implementation.
12. What restrictions are there regarding data transfers?
In general, the POPIA prohibits transfers of personal data outside of South Africa, unless the cross-border transfer is to a third party that is subject to very similar legal or corporate data protection rules. Or when an individual has consented or where the transfer is necessary to fulfil a contract.
13. What obligations does an organisation have to respond to a Data Subject Access Request?
Citizens may request, free of charge, confirmation of whether an organisation is processing their personal information and have the right to correction and erasure.
Organisations are allowed to charge for a copy of what data they hold, but only after first providing a written estimate of the fee.
There is no specific time limit within which to do this. The POPIA states only that organisations must respond to any request within a reasonable time.
14. How long does an organisation get to report a data breach?
POPIA states this must be done as soon as reasonably possible.
15. What are the main implications for an organisation?
Businesses will need to:
With certifications in ISO 9001 for quality management, ISO 27001 for information security management systems and ISO 22301 for business continuity, Redstor has two decades of experience in managing and protecting data across multiple platforms for organisations of all sizes, from enterprise to SMEs to schools.