Total Tests:

South Africa POPIA Compliance and Cybersecurity

Read Time: 7 min. Updated: October 25, 2023

The Protection of Personal Information Act 2013 (POPIA) is a comprehensive privacy and personal data
protection law in South Africa that imposes a set of cybersecurity requirements for entities
(both local and foreign) that process data within the country.

South Africa POPIA Compliance and Cybersecurity

What is POPIA and what does it mean for your business?

Composed of 12 Chapters and 115 Sections, the POPIA establishes a comprehensive privacy regime in South Africa. Although the Act was passed in 2013, it did not come into force until 2020, with a one year grace period meaning that entities were only required to be fully compliant from July 2021.

POPIA compliance ImmuniWeb can help you comply with POPIA cybersecurity and data protection requirements. How We Help

The POPIA was inspired by the European GDPR and grants South African individuals a broad spectrum of privacy rights to decide how their personal information is used, processed or shared by private and public sector organizations. Among other notable provisions consistent with the GDPR, the POPIA significantly restricts transfers of personal data to foreign countries. The Act also offers much stronger protection to Special Personal Information (SPI) that includes: religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, or biometric information of a data subject.

Similar to other personal data protection laws, the POPIA requires entities to have a lawful basis, such as a voluntarily given consent of a data subject, for the processing of personal data. Individuals are entitled to request access to their personal data, ask for correction of erroneous or outdated data, and request deletion of their personal data (unless a specific exception applies). Full rights and exclusions are explained in Sections 5 and 6 of the Act, respectively. The POPIA stipulates that the lawfulness of personal data processing is based on the following foundational principles (referred to as “Conditions” in the Act):

  • Accountability
  • Processing limitation
  • Purpose specification
  • Further processing limitation
  • Information quality
  • Openness
  • Security Safeguards
  • Data subject participation

Many of these conditions closely resemble other privacy regimes, such as the PDPA in Singapore or the PDPO in Hong Kong. For instance, under the openness condition, covered organizations are required to ensure fair and transparent processing of personal data by publishing a clear and sufficiently detailed privacy notice, as prescribed by Section 18 of the Act.

Under the POPIA, the data controller is labeled as a “responsible party”, while the data processor is referred to as an “operator”. Both have to comply with the security and data breach notification provisions of the Act. The responsible party is also required to designate an Information Officer, analogous to a Data Protection Officer (DPO) under the GDPR, and to register them with the Information Regulator. Somewhat unusually but sensibly, a Deputy Information Officer is likewise required. The duties and responsibilities of the Officers are explained in Sections 55 and 56 of the POPIA.

Who is covered by POPIA?

In contrast to the majority of modern privacy laws, the POPIA protects not only individuals but, where applicable, an existing “juristic” person, as stated in Section 1 of the Act. From a practical viewpoint, such situations are, however, infrequent and may apply, for example, to a sole proprietorship entity.

Another unique property can be found in Section 3, which essentially limits the extraterritorial effect of the POPIA - it only applies to entities domiciled in South Africa or which process personal data in the country.

The Act applies both to commercial companies and governmental entities, and does not provide exemptions for SMEs like the CCPA in California or the SHIELD Act in New York.

Who enforces POPIA compliance?

Chapter 5, Part A of the POPIA is dedicated to the Information Regulator of South Africa. This is the national data protection authority, an independent governmental body, accountable to the National Assembly, which has fairly broad powers to investigate and sanction any infringements of the Act. It is tasked with promoting awareness of the regulations, monitoring compliance and taking enforcement actions. Its enforcement duties include:ordering entities to take any actions necessary to remediate violations of the Act, ordering entities to stop unlawful data processing, and handling complaints for alleged violations of the POPIA. It also helps to administer relevant codes of conduct and international data transfers.

Investigatory power, granted by the Section 41(1)(b) of the Act, permits the Information Regulator to initiate investigations at its own discretion or upon receipt of a complaint about flawed privacy or data protection practices at any relevant public or private organization. Chapter 10 of the POPIA is dedicated to enforcement actions, including: the power to summon and enforce appearance of persons before the Regulator and compel them to give oral or written evidence under oath at any reasonable time subject to Section 81; and to enter and search any premises occupied by a responsible party and interview any person on the premises.

The execution of a properly obtained search warrant, required for the search and seizure of premises, may be assisted by police to “overcome resistance to the entry and search by using such force as is reasonably necessary.” Under Section 53 of the POPIA, the Regulator enjoys a qualified immunity by exempting any person, acting on behalf or under the direction of the regulator, from civil and criminal liability for anything done in good faith in the exercise or performance of any power, duty or function of the regulator in terms of the Act.

What are the penalties for POPIA violations?

Chapter 11 of the POPIA is dedicated to administrative, civil and criminal penalties under the Act. Obstruction of investigation conducted by the regulator, provision of deliberately false statements under oath or failure to comply with the regulator’s order is a criminal offense punishable by up to 10 years in prison. Administrative fines for violations of the Act may go up to 10 million ZAR.

Additionally, as stated in Section 99, aggrieved individuals, whose privacy rights under certain provisions of the POPIA are violated, can file a civil lawsuit against the responsible party, asking for monetary damage composed of: compensation for patrimonial and non-patrimonial loss suffered; aggravated damages; interest; and reasonable costs of the lawsuit as determined by court.

The first fine under the POPIA was issued against the Department of Justice and Constitutional Development in July 2023. The fine, totalling 5 million ZAR, resulted from the Department’s failure to comply with an Enforcement Notice (requiring the renewal of antivirus software licences) issued following a cyber attack in 2021 on their IT systems.

ImmuniWeb Newsletter

Get exclusive updates to cybersecurity laws and regulations:


Private and Confidential Your data will stay private and confidential

What are the cybersecurity requirements under POPIA?

Section 19 of the POPIA introduces a comprehensive set of cybersecurity and data protection duties for responsible parties (data controllers). Their basic duty is to secure the integrity and confidentiality of any personal information in its possession or under its control, by taking appropriate, reasonable technical and organizational measures. To meet this duty, covered organizations must:

  • Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; and
  • Establish and maintain appropriate safeguards against the risks identified; and
  • Regularly verify that the safeguards are effectively implemented; and
  • Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

This risk-based approach is consistent with the GDPR and recent data protection guidelines issued by the European Data Protection Board. The requirement for a contextual, informed and threat-aware approach is highlighted by the Section 19 which states that the responsible party must “have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.”

Less strict requirements are imposed by the POPIA on operators (data processors), which must keep entrusted personal information confidential and not disclose it. However, Section 21 requires responsible parties to create and impose enforceable contractual duties upon their operators, to ensure strict adherence to the same cybersecurity standards as imposed by Section 19. Therefore responsible parties will likely be accountable and legally liable for any errors and omissions of their vendors and suppliers.

POPIA compliance ImmuniWeb can help you comply with POPIA cybersecurity and data protection requirements. How We Help

What are the data breach notification requirements under POPIA?

Section 21 of the POPIA says that operators must notify responsible parties immediately when there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. This approach is comparable to the breach notification duty of data processors under the GDPR in the EU.

Data breach notification obligations of responsible parties are, however, much broader - and these are detailed in Section 22 of the Act. Data breach notification - both to the Information Regulator and the affected individuals - must be made “as soon as reasonably possible” after discovery of the compromise, with narrow exceptions (eg when such disclosure may hinder criminal investigation by competent law enforcement agencies). The notification must be sent in writing or by email, or made publicly available on the breached organization’s website and sent to local media, or performed in any other suitable way approved or directed by the Information Regulator.

Various details need to be disclosed as part of breach notification, such as the nature and scope of an incident and suggested steps to mitigate foreseeable risks. The POPIA also requires the identity of the unauthorized person or entity which unlawfully accessed the data to be shared – if known at the time of notification.

Finally, under the POPIA the Information Regulator may instruct the responsible party to publicize, in any manner specified, a data breach affecting more than 50 individuals. This is a pretty strict threshold when compared to 500 individuals that triggers mandatory disclosure to the media under HIPAA.

Introduction to POPIA by BizArmour Inc.

List of authoritative POPIA resources

Share on LinkedIn
Share on Twitter

Share on WhatsApp

Share on Telegram
Share on Facebook
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
Your data will stay private and confidential