POPIA 101: The Basics of South Africa’s New Data Privacy Act

South Africa’s Protection of Personal Privacy Act (POPIA) is one of the newest additions the growing trend of data privacy legislation following the lead of Europe’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Though there are key differences between GDPR, CCPA and POPIA, they are all built on the same guiding principles of accountability, transparency, security, data minimisation and the rights of data subjects. POPIA gives individuals much more control over their personal data by forcing companies to justify what they do with it, how long they keep it and how they protect it.[1]

POPIA was made effective by parliament on July 1, 2020, and organisations were granted a one-year grace period to become compliant before July 1, 2021. Now that we’re more than halfway through that grace period, most South African organisations should be well on their way to full compliance. 

POPIA 101

POPIA empowers citizens with enforceable rights regarding their personal information (e.g. right to access, right to correction, right to erasure), establishes eight minimum requirements for lawful processing, and creates a broad definition of personal information for comprehensive data subject protection.

Unlike GDPR, POPIA is not extraterritorial. That means POPIA only applies to organisations that are domiciled in and/or process data within South Africa. Within the country, however, POPIA is broader in terms of who it applies to. GDPR only protects living individuals, whereas POPIA also protects companies and organisations as juristic persons.

The regulations also establish the Information Regulator, an independent body that will serve as lead enforcer and supervisor of the law. For those who fail to comply with POPIA, penalties can include fines of up to 10 million Rand and/or up to 10 years in prison.[2]

Organisations will also face the risk of class action lawsuits under POPIA. Although class action suits are relatively novel in South Africa, POPIA offers data subjects the ability to institute civil action for damages against organisations, irrespective of the organisations’ intent.[3] These class actions can be facilitated by the information regulator without the normal legal heavy lifting of a typical class action, which is likely to make them more probable. Not to mention the risk of severe reputational damage for companies who are found noncompliant.

Defining Key Terms of POPIA

Those familiar with GDPR may recognise the terms data controller, data processor and data subject. POPIA is built around the same roles, but with slightly different terminology:[4]

• Responsible party: A public or private body that determines the purpose and means for processing personal information of a data subject.
• Operator: A party that processes personal information on behalf of the responsible party. Mimecast is an example of an operator.
• Data subject: Any party to whom the personal information relates.

POPIA refers to the “personal information” of a data subject, whereas GDPR refers to “personally identifiable information.” The two are similar concepts, though personal information more broadly encompasses any personal data regarding a human individual or juristic person.

This includes, but is not limited to, information about race, sex, education, marital status, criminal history, employment history, medical data and political affiliations. POPIA designates a separate category for “special personal information,” such as religious beliefs, trade union memberships or sexual orientation, and has special regulations for processing the personal information of a child.[5]

Under POPIA, data subjects are granted nine rights pertaining to the processing of their data. This includes the right to be notified when and how data is being collected, the right to access said data, and the right to correct or delete information.[6]  

Data subject participation is just one of POPIA’s eight conditions[7] for the lawful processing of data, listed below:

1. Accountability
2. Processing limitation
3. Purpose specification
4. Further processing limitation
5. Information quality
6. Openness
7. Security safeguards
8. Data subject participation

Of these eight conditions, it is important to highlight security safeguarding as perhaps the riskiest for organisations, as it speaks to their ability to protect against data breaches. Under Chapter 3, Section 19 of POPIA, responsible parties must take appropriate measures to prevent “(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.”[8]

It’s critical to note that clause (b) broadens the traditional concept of a data breach beyond just data exfiltration. Any unauthorised access to personal information constitutes a breach, even if the cybercriminal or employee does not do anything with that data.

If there are “reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person,” responsible parties are required to notify the Information Regulator and data subjects “as soon as reasonably possible after the discovery of the compromise.”[9]

Becoming POPIA Compliant

Under POPIA, responsible parties can still be considered compliant if they fall victim to a data breach — as long as they can prove they completed all the right steps under POPIA to prevent it. Therefore, it’s important to not cut corners on your organisation’s journey to compliance, as successful compliance will help prevent both data loss and legal ramifications.

Compliance means responsible parties must meet several minimum requirements for lawful processing of data — such as documentation, security and confidentiality — and ensure that end users can exercise their right to access, update and delete previously collected data.

“The biggest hurdle is that people are hoping for shortcuts, and there are really no shortcuts,” says Brian Pinnock, Senior Director of Sales Engineering MEA at Mimecast. “You’ve got to go through a multi-step process, and the first step is finding out what information you have and how you process it. That’s a huge challenge in itself.”

So what’s a good starting point for organisations?

“Definitely try and get some assistance,” Pinnock recommends. “You can streamline some of the processes by using reputable vendors like Mimecast or equivalent vendors to manage aspects of your data. Don’t build your technology stack from scratch — use companies that are already compliant with certain standards.” In addition to engaging cybersecurity vendors, organisations can involve legal specialists with compliance programs to help guide the process.

The Bottom Line

POPIA empowers data subject rights by holding organisations accountable for the responsible safekeeping of their personal information. The regulation also opens up new risks for organisations that they must remain keenly aware of to avoid data compromise or legal penalties — so it’s imperative that responsible parties do compliance right. Over the next several months, we will delve deeper into POPIA on this blog to debunk common misconceptions, explore nuances of the law, offer tips to organisations and more.

[1] “POPIA Compliance: South Africa’s Version of GDPR,” NetApp

[2] “Chapter 11, Section 107: Penalties,” POPIA

[3] “Companies failing to protect customer data may face civil damages of even class action suits,” Independent Online

[4] “Chapter 1, Section 1: Definitions,” POPIA

[5] “What is personal information defined as?” Michalsons

[6] “Chapter 2, Section 5: Rights of Data Subjects,” POPIA

[7] “South Africa’s Protection of Personal Information Act, 2013, Goes into Effect July 1,” National Law Review

[8] “Chapter 3, Section 17: Security Measures on Integrity and Confidentiality of Personal Information,” POPIA

[9] “Chapter 3, Section 22: Notifications of Security Compromises,” POPIA