POPIA deadline requires companies to check they’re compliant
Ensuring the protection of personal information has been a critical issue over the past decade, with governments across the world implementing regulations that establish rules for how organisations store, process and use the information they have. The implementation of the European Union’s General Data Protection Regulation in 2018 had global implications, with companies having to adopt more stringent policies in order to comply.
In July 2021, enforcement of the South African Protection of Personal Information Act (POPIA) comes into effect, after the year-long grace period comes to an end. This will mark the point at which organisations will be held liable for contraventions of the Act, with the potential for fines and even prison sentences for offences.
Brian Pinnock, Senior Director Sales Engineering for EMEA at Mimecast, explains that there are differences between POPIA and other international regulations, in that POPIA is applicable to companies that are either domiciled in South Africa or who process personal information in South Africa. This is unlike other regulations that apply to the citizens of those jurisdictions.
“There are many other areas that companies need to be aware of, including the requirement to appoint a privacy officer. In the absence of an officially appointed privacy officer, the CEO, by default, assumes that position.”
There are also some areas that still need to be clarified, especially because the Act covers the data pertaining to juristic persons – companies, trusts, etc – under the definition of personal information. Pinnock points out that it is not entirely clear cut what could be included under the definition of personal information of a juristic person, and this would need to be managed under the terms of the Act.
He adds that larger companies are generally better prepared for POPIA than smaller companies, but there is still a need for a better understanding of the broad regulations of the Act, including the eight conditions for lawful processing of data, which includes private data in all its forms (not just data in formal business systems).
“Companies also need to be aware of the vast amounts of personal information that they hold in unstructured data formats, such as e-mails, collaboration platforms, documents or even cookies. If you have someone’s ID number stored anywhere, its storage and use is covered by the Act,” he says.
Security and compliance are two sides of the same coin
One of the key areas that organisations need to be cognisant of is the importance of viewing security and compliance as two parts of a single whole. Pinnock explains that all too often, these are seen as unrelated areas, but a failure to properly secure an organisation’s IT infrastructure could have legal implications under POPIA should a breach occur and personal information be exposed.
“With the rise in ransomware attacks, the importance of security has never been higher, and not all companies understand that should they fall victim to ransomware, this would be classified as a breach under the Act as they have lost control of data containing personal information.”
This means companies need to ensure they examine their security infrastructure to ensure they have taken measures to protect themselves against foreseeable risks. This requires constant vigilance, as the list of what might be considered a foreseeable risk changes all the time.
Pinnock adds: “Many companies mistakenly assume that just because their data is stored in the cloud that the provider’s security will protect them. This is not necessarily the case. Responsible parties need to ensure that third parties who process private data on their behalf do so in a compliant manner. If the security protocols haven’t been properly implemented, then they won’t provide the necessary levels of security.
“In terms of POPIA, companies need to be able to show that they have taken the steps to protect the personal data they are entrusted with from foreseeable risks; this requires looking at security and compliance as equally important elements.”
In protecting the organisation and protecting personal information, the concept of cyber resilience has never been more important. “With businesses totally dependent on digital systems, any company’s plan for compliance with the Act needs to include detailed plans for how they protect, recover and keep data available should an incident occur,” says Pinnock. “This will vary depending on the size of the organisation and its budget, but it’s a critical component of ensuring that they comply to both the letter and the spirit of the law.”