After eight long years, the Protection of Personal Information Act (POPIA), which was first introduced in 2013, officially went into effect July 1, 2021. This is South Africa’s first data privacy law, and companies currently have a 12-month grace period to achieve compliance. The act aims to protect the personal information processed in South Africa and enhance the ability of information sharing globally. Although it predates the GDPR, it is often referred to as South Africa's GDPR equivalent. POPIA could be considered “adequately protective” in comparison to GDPR, as it includes certain stricter provisions based on earlier versions of the GDPR.
How is personal information defined under POPIA?
Personal information (PI) has an open-ended definition under POPIA. The data must relate to an “identifiable, living, natural person” or occasionally “an identifiable, existing, juristic person” when information related to race, sex, gender or origin is involved. Our blog on PII (personal identifiable information) highlights both examples of PII and how the intersection of that information can build a larger picture of who you are.
Who does the South Africa privacy law apply to?
The requirements of POPIA outline rules for responsible parties to follow.
Unlike the GDPR, which requires compliance of any organization that processes personal data of data subjects within the European Union, POPIA requires compliance of any organization that processes personal information within the country. It does not apply to the processing of personal or household data.
South Africa privacy law requirements
Under POPIA, responsible parties must comply with the following conditions:
- Accountability: All processing of data must occur in compliance with POPIA.
- Processing limitation: Personal data must be processed lawfully. A responsible party must develop policies to ensure that personal information is processed in a “reasonable manner.”
- Purpose specification: Personal information may only be collected for a lawful, related and explicitly defined purpose. Data subjects must be informed of the purpose of the collection.
- Further processing limitation: Exactly as it sounds — a responsible party may only further process that data in limited circumstances.
- Information quality: Ensure that any personal information is maintained to be complete, accurate and updated when necessary.
- Openness: When personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of who is storing their data, what they are storing, where it is stored and why.
- Security safeguards: A responsible party needs to secure the integrity and confidentiality of any personal information in its possession by taking appropriate measures to prevent damage.
- Data subject participation: Data subjects have the right to request confirmation of whether a responsible party holds personal information about the data subject.
What are the penalties for non-compliance?
Non-compliance with POPIA can result in a fine of up to $668,100 USD or up to 10 years in jail, depending on the severity of the crime. Ultimately, when it comes to which penalty one might face, the deciding factor is based on the extent of damage done to data subjects.
Become compliant with South Africa’s privacy law
The Protection of Personal Information Act is a relatively straightforward law in who it protects and who it regulates. If you are an organization processing personal information within South Africa, the best way to ensure that information is being handled properly is having a strong understanding of where it is located within your systems. Ground Labs’ Enterprise Recon can locate where your data resides across multiple access points.
If you are ready to take the first step towards compliance, schedule a discovery call with one of our experts now.
