Steph Charbonneau: What South Africa’s new data privacy law means for businesses

This article was contributed by Steph Charbonneau, CTO, Titus

On 1st July we saw the long-awaited Protection of Personal Information Act (POPIA) come into force in South Africa. POPIA is South Africa's equivalent of the EU GDPR. In short, the act is a new legislative framework for data protection. It aims to promote the constitutional right to privacy by safeguarding personal information. 

It does this by regulating the flow of information, advancing the rights of individuals to access their information and by creating eight conditions or minimum thresholds. It will require both public and private bodies to comply with the conditions when collecting, processing, storing, and sharing personal information. 

In an era where data governance is taking greater importance in an organisation's objectives and business strategy, businesses need to make sure comprehensive IT compliance is being managed effectively. 

Differences between the GDPR & POPIA 

The GDPR applies to the personal data of EU data subjects (in short, EU citizens), regardless of jurisdiction or where the data is being processed. On the other hand, POPIA is only limited to personal information processed within the borders of South Africa. 

Whilst GDPR only applies to information about living natural people, POPIA applies to information collected about companies, body corporates, trusts and other similar type entities. Therefore, the POPIA is much more extensive and rigorous than GDPR as information about vendors, suppliers or partners will be subject to the requirements and conditions of the act. 

Whilst there are several key differences in the two pieces of legislation, POPIA can be seen as an important steppingstone to GDPR compliance. Organizations not in compliance with POPIA will not meet the requirements of the GDPR. This will make it difficult for South African organizations to undertake international business. 

The fundamentals of POPIA compliance 

POPIA mostly applies to those who process data for commercial reasons and contains several exemptions including data processed for public bodies relating to national security, law, or the justice system; provincial cabinet data; and data processed for journalistic pursuits. 

The law is based on eight conditions for the lawful processing of personal data, as listed below: 

  1. Accountability. The data processor takes on all responsibility for ensuring the rest of the conditions are met. 
  2. Processing Limitation. Strict limitations on what kind of data processing is allowed, including only processing relevant data with a specific purpose and allowing data subjects to object/withdraw consent at any time. 
  3. Purpose specification. Restricts reasons behind data collection to “specific, explicitly defined and lawful” purposes – essentially, data collection must revolve around your normal business activities. Your data subjects must also be aware of these reasons. 
  4. Further processing limitation. Puts limitations on how organizations can further process data from their original intent, so that any further processing must be “compatible with the purpose for which it was (originally) collected”. 
  5. Information quality. Stipulates that organizations must ensure collected data is complete and accurate. 
  6. Openness. Regards data processors' responsibilities under South Africa's Promotion of Access to Information Act, requiring documentation of data processing activities and proactive data subject notification when data is collected. 
  7. Security safeguards. Outlines the security requirements – described as “appropriate, reasonable technical and organizational measures” – organizations must take to keep personal data safe. 
  8. Data subject participation. Defines the rights of data subjects including the right to access their own data, to be able to request and receive corrections within a timely manner. 

POPIA compliance best practices 

Like other data privacy laws, there are certain best practices organizations can implement in order to get, and stay, compliant with POPIA, much of them to do with process. 

For starters, you should always obtain consent before collecting, processing, sharing, or doing anything else with someone's data. You should also only collect the data you need for your stated purpose and store the information only as long as you need it. 

But it's also about technology, and one of the most impactful steps you'll take when it comes to POPIA compliance is the implementation of data identification and classification software

Indeed, companies can have the most sophisticated cybersecurity and data loss prevention (DLP) stack in existence and, without knowing where PII and sensitive data exists in their systems, still land on the wrong side of POPIA. 

Data classification software embeds persistent metadata into all an organization's emails and documents, both during creation and for data at rest, while identifying the existence of PII and other sensitive data within those documents. It then classifies these files based on a flexible, easily customised policy engine, allowing for data context across all your files that informs the rest of your downstream security ecosystem. 

Lastly, once you use data classification software to get compliant with one data privacy law, compliance with the rest of them is usually easier, meaning you can maximise the value of your investment and apply it to multiple compliance challenges.