What is POPIA, and How Do You Achieve Compliance?

As data privacy takes center stage around the world, governing bodies have begun devoting ever more time and attention to defining legal frameworks for working with consumer data safely. South Africa’s Protection of Personal Information Act, or "POPIA," was put forth in 2013 to help keep individuals' personal information from being misused. 

Privacy is considered an inalienable human right in the nation, and the rules the POPIA lays out are meant to ensure that people can keep their own information as private as they want it to be.

In this post, we’ll discuss what POPIA is and how it affects any organization that processes the data of citizens in South Africa.

• What Is POPIA?
• POPIA Noncompliance Risks
• Best Practices for Compliance with POPIA
• Final Thoughts 
• Frequented Asked Questions 
   

Image by PopTika via Shutterstock

What is POPIA?

In Europe, the General Data Privacy Regulation, or "GDPR," provides clarity on key issues surrounding the use of sensitive data, as well as guidance for organizations operating within the region.

This focus on data security has gradually spread to other regions around the world, spurring reforms both large and small to accommodate our rapidly evolving technological reality. South Africa has certainly not been left out of this legal revolution.

While the details of South Africa's stance on data governance diverge from that of the EU, the core essence of establishing ground rules to protect citizenry is very much the same.

POPIA is South Africa's "Protection of Personal Information Act," and it establishes rules for the lawful processing of personal information. The Act was made active law in 2020, and compliance with it became mandatory in 2021.

We'll discuss a few standout POPIA noncompliance risks organizations must mitigate below, along with best practices for achieving compliance with this important data security law.

POPIA Noncompliance Risks

Penalties for serious offenses

In South Africa, fines for serious offenses against the POPIA can be as high as 10 million ZAR or about $533,000 (USD). Jail time could also be imposed, and sentences of 10 years are possible.

Each of the following crimes constitutes a serious offense:

• Failure to comply with notices or legal conditions - When South African authorities issue enforcement notices, you are expected to comply with them. You must also satisfy certain conditions when processing account numbers.
• Unlawful account number handling - Whether you knowingly skirt the law in obtaining someone's account number or simply do so recklessly, you could be held accountable by authorities in the country. The same rule applies to disclosing such data or attempting to sell it.

• Failure to cooperate with regulators - Obstructing the nation’s regulator in any way is considered a serious offense, as is providing false evidence while under oath.
   

  
  Photo by Tranmautritam via Pexels
  
  Penalties for minor offenses

Minor offenses don't carry the same penalties as those mentioned above, but they can still prove costly enough to consider avoiding. 

In the event you commit a minor offense with personal data in South Africa, the POPIA allows for fines of up to 1 million ZAR or about $53,000 (USD) to be issued against you. You could also be sentenced to a year in jail.

Minor offenses include:

• Failure to provide evidence or obtain authorization - If the regulator requires evidence from you and you refuse to provide any, you could be fined. You may also need to request authorization from the regulator for certain activities to avoid criminal liability.
• Obstructing a warrant officer - Anyone executing a warrant on the part of the regulator should be assisted or, at least, not obstructed. Failure in this regard is grounds for a fine or jail time.
• Making false statements - False statements made regarding data handling are fineable offenses according to the POPIA

For more information about this, check out the following video:

Best Practices for Compliance with POPIA

Appoint an information officer

The POPIA considers a company's CEO to be its information officer if no other individual explicitly occupies that role in the organization. However, formally appointing such an officer is recommended. 

Your chosen information officer must be prepared to handle data privacy issues within your industry.

Assess information collection practices

In order to achieve and maintain compliance with the POPIA, you’ll need a strong understanding of the routes data takes throughout your organization. More specifically, you should know:

• Your data and its uses - What information are you currently collecting from consumers? What are you collecting data for?
• Your collection and storage practices - How are you acquiring data? Have you obtained consent from users to do so? Who handles data collection? Where is this information stored? For how long is this data retained?

Implement a compliance framework

To establish a reasonable POPIA compliance framework within your organization, you should consider conducting a gap analysis to identify current risks. 

Once complete, a gap analysis should yield a list of processes and divisions that would benefit from updated policies. 

Training forms a great basis for effecting meaningful change in your current operating procedures, though you may need to reassess existing contracts and privacy policies in order to achieve full compliance

Final Thoughts

Image by inkflo from Pixabay

Data privacy is not likely to become less of a priority in the near term. Accommodating laws concerning data in regions and countries where you operate is essential. Implementing a robust data loss prevention solution like Digital Guardian and data classification from Fortra to aid in locating regulated files, can help you maintain compliance, protecting your sensitive data and your brand's reputation while avoiding the expensive consequences of noncompliance. 

Frequently Asked Questions

What is the purpose of the POPIA?

South Africa's POPIA is intended to provide adequate protection for people's personal data within the country. Protecting personal privacy is the first and main purpose of the act itself and it governs the handling of personal data by organizations of all kinds.

Who needs to comply with POPIA?

If your company operates in South Africa or handles South African consumer data, then you will need to comply with the POPIA.

How do you comply with POPIA?

Ensuring you have an information officer within your organization who can manage the handling of data across your existing operations is a must. This can be the CEO or a dedicated CIO.

You should also assess your organization's existing data privacy practices and enhance them to ensure that they reasonably accommodate the rules laid out in the POPIA.