1. What is POPIA?
The Protection of Personal Information Act is South Africa’s data privacy law. Most sections of the act have been law since July 1 2020 – but compliance is mandatory from June 30 2021.
2. Who does POPIA apply to?
Organizations either based in SA or who process personal data within the country. To determine this, you should consider the whereabouts of on-prem data centers and cloudbased deployments. Both AWS and Microsoft Azure now have cloud regions in SA.
3. Why was this legislation drawn up?
To protect people from the harm they may suffer should their personal information be abused.
Data protection laws that meet the standard of those adopted by other nations are also necessary for SA to trade globally.
4. Who has the power to enforce POPIA?
South Africa’s new regulatory authority – the Information Regulator.
5. Who and what is protected under the term personal data?
POPIA covers information belonging to partners, suppliers and vendors, as well as individuals.
There are nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correction and right to deletion.
A separate subcategory of more sensitive personal data, relating to sensitive personal data, relating to race, ethnic origin, sexual orientation and political persuasion among others, is subject to stricter requirements.
POPIA also goes a step further than other data privacy laws by protecting anyone whose personal data is processed within South African territory or by a South African undertaking – regardless of the individual’s nationality.
6. Who is responsible for ensuring an organisation is compliant?
The head of an organisation is automatically the Information Officer, who must, in turn, appoint one or more deputies. Their details must have been logged with the Information Regulator by March 3 2021.
7. What penalties are there?
- Fine of up to R10 million, up to ten years in jail
- Payment of damages to those affected
8. What benefits for an organisation are there?
POPIA compliance demonstrates to clients, suppliers, employees and other associates that:
- their personal information is well protected
- measures are in place to guard against malware attacks and cyber-crime
- there will be no adverse impact on transactions, undermining business competitiveness
9. What is required to ensure compliance when collecting data?
Prior consent of end-users before processing personal information.
You must be upfront about:
- who you are
- what information you collect
- why you collect it
- the rights of data subjects
10. What is required to ensure compliance when processing data?
Organisations must satisfy requirements for data security, data transfer and rights of access. Technical and organisational measures must be implemented to keep personal information secure against the risk of loss, damage, unauthorised access, interference, modification, destruction, and disclosure.
11. How does the POPIA affect an organisation’s data security requirements?
The POPIA demands the implementation of appropriate technical and organizational measures to protect personal data in your possession.
Providing you give due regard to generally accepted security practices and procedures, this means you can tailor security measures to the nature of the personal data you process, impact level of a potential breach and cost of implementation.
12. What restrictions are there regarding data transfers?
In general, the POPIA prohibits transfers of personal data outside of South Africa, unless the crossborder transfer is to a third party that is subject to very similar legal or corporate data protection rules. Or corporate data protection rules. Or when an individual has consented or where the transfer is necessary to fulfil a contract.
13. What obligations does an organisation have to respond to a Data Subject Access Request?
Citizens may request, free of charge, confirmation of whether an organisation is processing their personal information and have the right to correction and erasure.
Organisations are allowed to charge for a copy of what data they hold, but only after first providing a written estimate of the fee.
There is no specific time limit within which to do this. The POPIA states only that organisations must respond to any request within a reasonable time.
14. How long does an organisation get to report a data breach?
POPIA states this must be done as soon as reasonably possible.
15. What are the main implications for an organisation?
Businesses will need to:
- demonstrate transparency and accountability around how and why data is gathered
- account for the increased responsibility placed on data processors
- make provision for Data Subject Access Requests
- ensure the laws around data sovereignty are met
- prepare for more auditing and reporting
- be mindful of harsher penalties for non-compliance