South Africa POPIA Compliance and Cybersecurity
Protection of Personal Information Act (POPIA) of 2013 is a comprehensive privacy and personal data
protection law in South Africa that imposes a set of cybersecurity requirements for South African
and foreign entities that process data within the country.
What is POPIA and what does it mean for your business?
Composed of 12 Chapters and 115 Sections, POPIA establishes a comprehensive privacy regime in South Africa. POPIA became effective on July 1, 2020, but the enforcement commences on July 1, 2021 after one year of grace period granted to the covered entities and offering a sufficient timeframe to implement technical and administrative compliance with the Act.
ImmuniWeb can help you comply with POPIA cybersecurity and data protection requirements. Learn more
POPIA was inspired by the European GDPR and grants South African individuals a broad spectrum of privacy rights to decide and control how their personal information may be used, processed or shared by private and public sector organizations. Among other notable provisions, consonant with the European privacy law, POPIA significantly restricts transfers of personal data to foreign countries. The Act also offers much stronger protection to Special Personal Information (SPI) that includes religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information of a data subject.
Similar to other personal data protection laws, POPIA requires to have a lawful basis, such as a voluntarily given consent of a data subject, for processing of personal data. Individuals are entitled to request access to their personal data, ask for correction of erroneous or outdated data, and request deletion of their personal data unless a specific exception applies. Full rights and exclusions are elaborated in the Sections 5 and 6 of the Act, respectively. POPIA stipulates that lawfulness of personal data processing is based on the following foundational principles (referred to as “Conditions” in the Act):
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security Safeguards
- Data subject participation
Many of above-mentioned conditions closely resemble other privacy regimes, such as PDPA in Singapore or PDPO in Hong Kong. For instance, under the openness condition, covered organizations are required to ensure a fair and transparent processing of personal data by publishing a clear and sufficiently detailed privacy notice as prescribed by the Section 18 of the Act.
Under POPIA, data controller is labeled “responsible party”, while data processor is referred to as “operator”. Both have to comply with security and data breach notification provisions of the Act. The responsible party is also required to designate an Information Officer, analogous to Data Protection Officer (DPO) under GDPR, and to register him or her with the Information Regulator. Somewhat unusually but wisely, a Deputy Information Officer is likewise required. Duties and responsibilities of the Officers are elaborated in the Sections 55 and 56 of POPIA.
Who is covered by POPIA regulation?
Differently from the majority of modern privacy laws, POPIA protects not only the individuals but, where applicable, an existing juristic person as stated in the Section 2 of the Act. From a practical viewpoint, such situations are, however, infrequent and may apply, for example, to a sole proprietorship entity.
Another particularity can be found in the Article 3, saying that POPIA does not have an extraterritorial effect and applies only for entities either domiciled in South Africa or processing personal data in the country. The Act applies both to commercial companies and governmental entities, and does not provide exemptions of facilitations for SME like CCPA in California or SHIELD Act in New York.
Who does enforce POPIA compliance?
Part A of the Chapter 5 of POPIA is dedicated to the Information Regulator of South Africa – the national data protection authority with fairly broad power to investigate and sanction infringements of the Act. The Information Regulator is an independent governmental body, accountable to the National Assembly, tasked primarily to educate, monitor and enforce compliance, order to take any actions necessary to remediate violations of the Act, order to stop unlawful data processing, handle complaints for alleged violations of POPIA, administer codes of conduct and international data transfers.
Investigatory power, granted by the Section 41(1)(b) of the Act, permits the Information Regulator to initiate investigations at its own discretion or upon receipt of a complaint about flawed privacy or data protection practices at any public or private organization in the purview of the regulator. Entire Chapter 10 of POPIA is dedicated to enforcement that, among common provisions, includes power to summon and enforce appearance of persons before the Regulator and compel them to give oral or written evidence on oath at any reasonable time subject to Section 81, enter and search any premises occupied by a responsible party and interview any person on the premises.
Moreover, execution of a properly obtained search warrant, required for search and seizure of perpetrator’s premises, may be assisted by police to “overcome resistance to the entry and search by using such force as is reasonably necessary.” Under the Section 53 of POPIA, the regulator enjoys a qualified immunity by exempting any person, acting on behalf or under the direction of the regulator, from civil and criminal liability for anything done in good faith in the exercise or performance of any power, duty or function of the regulator in terms of the Act.
What are the penalties for POPIA violations?
The whole Chapter 11 of POPIA is dedicated to administrative, civil and criminal penalties under the Act. Obstruction of investigation conducted by the regulator, provision of deliberately false statements under oath or failure to comply with the regulator’s order is a criminal offense punishable by up to 10 years in prison. Administrative fines for violations of the Act may go up to 10,000,000 ZAR.
Additionally, as stated in the Section 99, aggrieved individuals, whose privacy rights under certain provisions of POPIA were violated, may file a civil lawsuit against the responsible party asking for monetary damage composed of compensation for patrimonial and non-patrimonial loss suffered, aggravated damages, interest and reasonable costs of the lawsuit as determined by court.
What are the cybersecurity requirements under POPIA?
The Section 19 of POPIA introduces a comprehensive set of cybersecurity and data protection duties for responsible organizations (data controllers). The foundational requirement is to secure integrity and confidentiality of personal information in organization’s possession and under its control by taking all appropriate, reasonable technical and organizational measures. To attain this goal, covered organization must:
- Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; and
- Establish and maintain appropriate safeguards against the risks identified; and
- Regularly verify that the safeguards are effectively implemented; and
- Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
This risk-based approach is perfectly consonant with GDPR and recent data protection guidelines by the European Data Protection Board. Contextual, informed and threat-aware approach is further explained by mandating the responsible party to “have a due regard to generally accepted information security practices and procedures which may be required in terms of specific industry or professional rules and regulations.”
Less strict requirements are imposed on operators (data processors) that, under POPIA, must keep entrusted personal information confidential and must not disclose it. This gap is, however, amply addressed by shifting the responsibility on data controller by the virtue of the Section 21 that obliges responsible party to create and impose enforceable contractual duties upon their operators to ensure strict adherence to the same cybersecurity standards as imposed by the Section 19. In a nutshell, responsible organizations will likely be accountable and legally liable for errors and omissions of their vendors and suppliers.
ImmuniWeb can help you comply with POPIA cybersecurity and data protection requirements. Learn more
What are the data breach notification requirements under POPIA?
The Section 21 of POPIA says that operators must notify responsible organizations immediately when there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. This approach is comparable to breach notification duty of data processors under GDPR in the EU.
Data breach notification obligations of responsible organizations are, however, much broader and are detailed in the Section 22 of the Act. Data breach notification, both to the Information Regulator and the affected individuals, must be made “as soon as reasonably possible” after discovery of the compromise, with narrow exceptions when such disclosure may hinder criminal investigation by competent law enforcement agencies. The notification shall be sent in writing or by email, or made publicly available on the breached organization’s website and sent to local media, or performed in any other suitable way approved or directed by the Information Regulator.
Among other details, sent alongside breach notification such as nature and scope of the incident and suggested steps to mitigate foreseeable risks, POPIA also requires sharing the identity of the unauthorized person or entity who unlawfully accessed the data – if known at the time of notification.
Finally, under POPIA the Information Regulator may instruct responsible party to publicize, in any manner specified, the data breach affecting more than 50 individuals. This is a pretty strict threshold compared to 500 individuals that trigger mandatory disclosure to media under HIPAA.