Archive & Data Protection

    POPIA Poses Privacy Conundrum: How to Archive Email?

    South Africa’s new privacy law requires data archives that prevent tampering yet at the same time allow corrections.

    by Karen Lynch

    Key Points

    • Companies must safeguard South African citizens’ personal information from unauthorized access and tampering under the new POPIA law.
    • The law also permits individuals to ask for corrections and deletions of data that companies have collected about them.
    • But tamper-proof safeguards can make it hard to fulfill requests for changes, unless companies use the right setup for systems like email archives.

    South African companies have been gearing up for the just-passed July 1 deadline to meet new data privacy rules under the country’s Protection of Personal Information Act (POPIA).[1] But sometimes the gears may not mesh, especially when it comes to the vast troves of personal information held in email accounts and archives. The law’s requirement to safeguard personal data, for instance, may interfere with the requirement to correct or delete such data upon request.

    Companies should be asking three questions to assess whether their email archive will comply with POPIA:

    • Is my email archive tamper-proof (“immutable,” in privacy terms)?
    • Does it enable me to respond to individuals’ requests for corrections and deletions (known as “subject access requests”)?
    • Can it do both?

    Companies that rely on the dominant email platforms for compliant archiving can usually answer “yes” to the first or second question but not the third, according to Brian Pinnock, Mimecast’s director of sales engineering MEA. And that’s the kind of shortfall that risks violating POPIA, drawing financial penalties, inviting class-action suits and inflicting harm on a company’s reputation.

    In previous blogs, Pinnock has given a POPIA 101 crash course, engaged in some POPIA myth-busting and done a deep dive on data safeguarding and ransomware to help South African companies get ready for the new data privacy law. Here, he analyzes the conundrum companies face as they try to achieve data immutability in tandem with POPIA compliance.

    Data Immutability vs. Compliance

    Privacy regulations aim to protect the integrity, confidentiality and immutability of sensitive data such as personal information. The rule of thumb is that archived data will not be changed in any way.

    Complying with POPIA not only requires such protections but also gives individuals the right to request corrections and deletions. The problem is that archiving setups offered on dominant email platforms may not be able to handle both immutability and compliance.

    Some of these archives rely on retention locks or litigation holds, which last a set period of time. Only after the lock expires can a change be made, which is less responsive to requests than the law may require, Pinnock says. Or, if a hold is removed in order to make changes, a company may lack an audit trail to prove its compliance. Or worse, logs might also be deleted by rogue administrators or end users engaged in corruption.

    By contrast, the setup enabled by an email security provider such as Mimecast allows tightly controlled changes to an email archive — often requiring at least two employees’ involvement, he says. Then, to preserve integrity and prevent corruption, a tamper-proof audit trail indicates to the company’s security team what data was changed in the archive and by whom.

    Compliant Email Archiving

    Compliance tools for other necessary functions, such as e-discovery, are also available from a range of email platforms and security providers, with different levels of sophistication. can tag emails as they come in, automatically identifying those containing sensitive data. This feature makes unstructured email data searchable and deliverable at a later date, in whatever form necessary, whether for a subject access request or a privacy risk assessment.

    Secure messaging is also useful in responding to subject access requests. As you email an individual proof that you’ve deleted their data, along with audit trails, secure messaging provides your company with its own proof of delivery.

    POPIA Outlook

    Time will tell how quickly and strictly regulators enforce POPIA. Patterns set by European regulators’ enforcement of the General Data Protection Regulation (GDPR) may be repeated on the South African data privacy landscape. For example, high-profile organizations may attract more enforcement in the early days, even as all companies are expected to employ compliance measures that are reasonable for their particular size and industry sector.

    While similar to the GDPR and other privacy laws, POPIA differs in ways, including:

    • It covers more categories of personal information than most (e.g., not just credit card numbers but religious affiliations).
    • It includes businesses’ privacy rights as well as individuals’.
    • It generally wields weaker penalties (up to ZAR 10 million, or US$700,000, if data protections are deemed negligent).
    • Prison sentences are included in POPIA, which was drafted in 2013, although global policy consensus may have overtaken that provision, Pinnock says.

    More guidance on compliance and enforcement is expected from South African regulators in the coming year as companies and individuals begin reporting violations. In the meantime, regulators are seen to be under-resourced for the POPIA task ahead, even as many companies are described as unprepared to meet the requirements.

    Business Outlook

    The business impact of POPIA will also be clarified over time. Elsewhere in the world, the Gartner market research group reported last year that companies subject to the GDPR and other privacy laws were spending nearly US$1,500 per subject access request, on average. Many companies used time-consuming manual processes that usually took at least a full working week per request. “Automation will be required to support departmental scale and meet regulations,” Gartner wrote.[2]

    Research from the DataGrail privacy platform looked at requests under the California Consumer Privacy Act (CCPA). There, companies received an average of 137 requests per million identities. Nearly half of consumers requested to opt-out of the sale of their data to third parties, instead of seeking access to or deletion of their data. Still, about a third requested deletion.[3]

    The Bottom Line

    South Africa’s POPIA law is coming into force, giving individuals greater data privacy rights. How companies handle the vast amount of personal information in their email accounts and archives will be key to compliance. Without the right setup, your data safeguards could be at odds with individuals’ new rights to demand changes in the information you have on them.


    [1]Protection of Personal Information Act,” Government Gazette

    [2]4 Legal Tech Trends for 2020,” Gartner

    [3]Consumers Take Action on Privacy,” DataGrail

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top