All about POPIA compliance: South Africa’s new data privacy law – and what it means for you
South Africa’s Protection of Personal Information Act (POPIA) has finally come into force.
That’s good news for South African citizens and residents, since the legislation’s aim is to protect their personally identifiable information (PII) after it’s collected by public and private entities in the country.
But what does the new law mean for South African organisations who must comply?
For some the answer is, not a lot. Since a few South African businesses work with European clients and partners, many – particularly those in finance and telecom – had already overhauled their data security to comply with GDPR, after it came online in 2016.
And while POPIA isn’t a replica of GDPR, most data privacy legislation around the world share enough commonalities that preparing for one of them puts you in pretty good shape to comply with any others.
For other organisations, however, complying with POPIA will take some work and investment.
A 2019 survey indicated a significant chunk of South African organisations – around 34 per cent – weren’t yet ready for POPIA’s full implementation, and it’s fair to say that number hasn’t changed a great deal since.
The good news is that the government has introduced a one-year grace period, to give these organisations time to get up to speed – although some critics, such as DLA Piper, have questioned whether fully implementing POPIA during the height of a pandemic may represent undue hardship on businesses.
Either way, as of July 1 of this year, the organisations in the “not yet ready” camp have been put on notice. And it’s now time for them to get compliant.
POPIA compliance enforcement is likely to be ruthless
POPIA, which was first passed way back in 2013 (before the EU’s GDPR came into existence) and had parts of it come into effect in mid 2014, has truly been a long time coming. Since those initial sections came into effect six years ago, observers have speculated on when the act would come into full force – from “sometime in 2019”, to April 1 of this year, to July 1, when in fact the legislation did come into force.
While the delays led to some frustration and fatigue among South Africans, they were in part attributable to the passing and rollout of GDPR (in 2013 and 2016, respectively) as legislators learned from the European experience and adjusted POPIA accordingly.
Adding to these companies’ struggles, however, will be an almost certain compliance bottleneck as demand increases for vendors on the ground in South Africa with the right skills and technologies. As the one-year grace period ticks down to the deadline of July 1, 2021, this demand is likely to be so great that some companies simply won’t be able to get compliant in time.
But despite these delays, I don’t believe the South African government will have much leniency with stragglers once POPIA’s one-year grace period ends.
Quite the opposite, in fact.
Organisations in South Africa have had years to begin preparing for this, and due to that fact alone I think the government will be ruthless in its enforcement of POPIA.
The nuts and bolts of POPIA compliance
POPIA mostly applies to those who process data for commercial reasons, and contains several exemptions including data processed for public bodies relating to national security, law, or the justice system; provincial cabinet data; and data processed for journalistic pursuits.
The law is based on eight conditions for the lawful processing of personal data, as listed below:
- Accountability. The data processor takes on all responsibility for ensuring the rest of the conditions are met.
- Processing Limitation. Strict limitations on what kind of data processing is allowed, including only processing relevant data with a specific purpose and allowing data subjects to object/withdraw consent at any time.
- Purpose specification. Restricts reasons behind data collection to “specific, explicitly defined and lawful” purposes – essentially, data collection must revolve around your normal business activities. Your data subjects must also be aware of these reasons.
- Further processing limitation. Puts limitations on how organizations can further process data from their original intent, so that any further processing must be “compatible with the purpose for which it was (originally) collected”.
- Information quality. Stipulates that organizations must ensure collected data is complete and accurate.
- Openness. Regards data processors’ responsibilities under South Africa’s Promotion of Access to Information Act, requiring documentation of data processing activities and proactive data subject notification when data is collected.
- Security safeguards. Outlines the security requirements – described as “appropriate, reasonable technical and organizational measures” – organizations must take to keep personal data safe.
- Data subject participation. Defines the rights of data subjects including the right to access their own data, to be able to request and receive corrections within a timely manner.
POPIA compliance best practices
Like other data privacy laws, there are certain best practices organisations can take in order to get and stay compliant with POPIA, much of them to do with process.
For starters, you should always obtain consent before collecting, processing, sharing, or doing anything else with someone’s data. You should also only collect the data you need for your stated purpose and store the information only as long as you need it.
But it’s also about technology, and one of the most impactful steps you’ll take when it comes to POPIA compliance is the implementation of data identification and classification software.
Indeed, companies can have the most sophisticated cybersecurity and data loss prevention (DLP) stack in existence and, without knowing where PII and sensitive data exists in their systems, still land on the wrong side of POPIA.
Data classification software embeds persistent metadata into all an organisation’s emails and documents, both during creation and for data at rest, while identifying the existence of PII and other sensitive data within those documents. It then classifies these files based on a flexible, easily customised policy engine, allowing for data context across all your files that informs the rest of your downstream security ecosystem.
And maybe the best part?
Like I already mentioned, once you use data classification software to get compliant with one data privacy law, compliance with the rest of them is usually easy.
Which means you’ll always be ready for the next challenge.