What South Africa's new data privacy law means for businesses

A look at the fundamentals of South Africa's POPIA compliance and best practices, as well as its key differences and similarities with GDPR.

IDGConnect_dataprivacy_southafrica_shutterstock_762872254_1200x800
Shutterstock

This is a contributed article by Steph Charbonneau, CTO, Titus.

On 1st July we saw the long-awaited Protection of Personal Information Act (POPIA) come into force in South Africa. POPIA is South Africa's equivalent of the EU GDPR. In short, the act is a new legislative framework for data protection. It aims to promote the constitutional right to privacy by safeguarding personal information. 

It does this by regulating the flow of information, advancing the rights of individuals to access their information and by creating eight conditions or minimum thresholds. It will require both public and private bodies to comply with the conditions when collecting, processing, storing, and sharing personal information. 

In an era where data governance is taking greater importance in an organisation's objectives and business strategy, businesses need to make sure comprehensive IT compliance is being managed effectively. 

Differences between the GDPR & POPIA 

The GDPR applies to the personal data of EU data subjects (in short, EU citizens), regardless of jurisdiction or where the data is being processed. On the other hand, POPIA is only limited to personal information processed within the borders of South Africa. 

Whilst GDPR only applies to information about living natural people, POPIA applies to information collected about companies, body corporates, trusts and other similar type entities. Therefore, the POPIA is much more extensive and rigorous than GDPR as information about vendors, suppliers or partners will be subject to the requirements and conditions of the act. 

Whilst there are several key differences in the two pieces of legislation, POPIA can be seen as an important steppingstone to GDPR compliance. Organisations not in compliance with POPIA will not meet the requirements of the GDPR. This will make it difficult for South African organisations to undertake international business. 

The fundamentals of POPIA compliance 

POPIA mostly applies to those who process data for commercial reasons and contains several exemptions including data processed for public bodies relating to national security, law, or the justice system; provincial cabinet data; and data processed for journalistic pursuits. 

The law is based on eight conditions for the lawful processing of personal data, as listed below: 

  1. Accountability. The data processor takes on all responsibility for ensuring the rest of the conditions are met. 
  2. Processing Limitation. Strict limitations on what kind of data processing is allowed, including only processing relevant data with a specific purpose and allowing data subjects to object/withdraw consent at any time. 
  3. Purpose specification. Restricts reasons behind data collection to "specific, explicitly defined and lawful" purposes – essentially, data collection must revolve around your normal business activities. Your data subjects must also be aware of these reasons. 
  4. Further processing limitation. Puts limitations on how organisations can further process data from their original intent, so that any further processing must be "compatible with the purpose for which it was (originally) collected". 
  5. Information quality. Stipulates that organisations must ensure collected data is complete and accurate. 
  6. Openness. Regards data processors' responsibilities under South Africa's Promotion of Access to Information Act, requiring documentation of data processing activities and proactive data subject notification when data is collected. 
  7. Security safeguards. Outlines the security requirements – described as "appropriate, reasonable technical and organizational measures" – organisations must take to keep personal data safe. 
  8. Data subject participation. Defines the rights of data subjects including the right to access their own data, to be able to request and receive corrections within a timely manner. 

POPIA compliance best practices 

Like other data privacy laws, there are certain best practices organisations can implement in order to get, and stay, compliant with POPIA, much of them to do with process. 

For starters, you should always obtain consent before collecting, processing, sharing, or doing anything else with someone's data. You should also only collect the data you need for your stated purpose and store the information only as long as you need it. 

But it's also about technology, and one of the most impactful steps you'll take when it comes to POPIA compliance is the implementation of data identification and classification software. 

Indeed, companies can have the most sophisticated cybersecurity and data loss prevention (DLP) stack in existence and, without knowing where PII and sensitive data exists in their systems, still land on the wrong side of POPIA. 

Data classification software embeds persistent metadata into all an organisation's emails and documents, both during creation and for data at rest, while identifying the existence of PII and other sensitive data within those documents. It then classifies these files based on a flexible, easily customised policy engine, allowing for data context across all your files that informs the rest of your downstream security ecosystem. 

Lastly, once you use data classification software to get compliant with one data privacy law, compliance with the rest of them is usually easier, meaning you can maximise the value of your investment and apply it to multiple compliance challenges. 

Stephane Charbonneau is one of the original founders of Titus and serves as Chief Technology Officer. His background as an IT Security Architect helps bridge the gap between customer requirements and the product suites offered by the company. Charbonneau has worked as senior architect at a major US financial institution and in several Canadian federal government departments. He has delivered specialised Entrust training courses to Fortune 500 enterprises around the world and had the opportunity to meet and work with many of the top public key infrastructure (PKI) and security specialists on the planet.