Three Common (and Risky) POPIA Myths Debunked
The grace period for POPIA compliance will soon end in South Africa. We did some myth busting to ensure you’re adequately prepared.
- Some common misconceptions about POPIA could be putting your organisation at legal and financial risk if not corrected.
- It’s vital that organisations have an accurate understanding of the regulations before they come into full force on July 1.
South Africa’s Protection of Personal Information Act (POPIA) enforcement will commence on 1 July, 2021, meaning responsible parties must be fully compliant with the regulations by that date to avoid penalty. POPIA aims to monitor, protect and regulate the processing and flow of personal data within South African organisations, ensuring legitimate use of that data.
In a previous blog, we walked through a POPIA 101 crash course, defining key terms and takeaways of the data privacy act. Below, we break down some of the most common — and dangerous — POPIA myths that could put your organisation at risk.
Myth #1: POPIA is just GDPR ‘Lite’
People tend to think of POPIA as GDPR ‘lite’ for a few reasons. The main one is because, on the surface, the penalties for POPIA seem less severe than those of GDPR. In South Africa, those who are found to be noncompliant with POPIA can face fines of up to R10 million and/or up to 10 years in prison. By comparison, under GDPR, organisations can be fined up to 4% of annual revenue, and if you’re a multi-billion dollar company, that fine could far surpass R10 million. In fact, the biggest GDPR fine of 2020 went to Google, who was forced to pay a €50 million fine — that’s roughly R856.6 million.
POPIA is also not extraterritorial like GDPR or CCPA, meaning it only applies to organisations that are domiciled in and/or process data within South Africa, and not external territories. However, within these borders, the law is actually broader in terms of who it applies to. Whereas GDPR only protects human individuals, POPIA includes protection for juristic persons such as companies or trusts.
At the core of all data privacy regulations is the data itself, and even there POPIA and GDPR differ. GDPR refers to “personally identifiable information” whereas POPIA refers to “personal information” — the difference being that POPIA’s “personal information” is much wider in its parameters. The law more broadly encompasses any personal data pertaining to an individual or juristic person, including but not limited to things like religious beliefs, trade union membership, sexual orientation and political affiliation.
So while POPIA may sometimes be thought of as a ‘lighter’ version of GDPR, organisations should treat them with equal levels of severity. “If you look at it from the risk perspective, there are a number of risks. And the fines and the jail times are probably the least of those risks,” says Brian Pinnock, Senior Director of Sales Engineering MEA at Mimecast. He notes that companies should be wary of reputational damage and the heightened risk of class action lawsuits that POPIA allows.
With these factors considered, the average cost of a data breach in South Africa in 2020 was R40 million. That should put to rest another common myth: that simply paying the fine is cheaper than the hassle of compliance.
We may colloquially refer to POPIA as ‘South Africa’s GDPR,’ but it’s important to understand these key differences so as not to conflate the two when POPIA comes into full effect.
Myth #2: Data must leave the organisation for it to qualify as a data breach
Of POPIA’s eight conditions for lawful processing, security safeguarding is considered one of the most important because it concerns a company’s ability to prevent data breaches. Under Chapter 3, Section 19 of POPIA, responsible parties must take appropriate measures to prevent “(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.”
Traditionally, when we think of a data breach, we think of it in terms of data exfiltration. But information doesn’t have to leave your organisation for it to be considered a data breach. It’s critical to note that clause (b) broadens the definition of a data breach beyond just data exfiltration. Any unauthorised access to personal information constitutes a breach, even if the cybercriminal or employee does not do anything with that data.
The global rise in ransomware adds increased risks for responsible parties, as information encrypted over the course of a ransomware attack constitutes a data breach. “With things like ransomware, if you’ve simply lost control of somebody’s data, that is technically a data breach. You don’t have to have exfiltration,” says Pinnock.
Myth #3: Responsible parties can outsource all risk and responsibility
This is perhaps one of the most dangerous myths for organisations to believe when it comes to POPIA — that they can outsource all of the work as well as the accountability and risk that comes with compliance to third-party operators or insurance agencies.
The myth busting here is twofold. First, no one vendor solution can make you compliant on its own. While some vendors, like Mimecast, enable organisations to become POPIA compliant in several ways, there are many other moving parts that companies must attend to in order to be fully compliant. Responsible parties can expect to engage their legal, compliance IT and security teams in the heavy lifting. “It’s everybody’s problem,” Pinnock says.
Second, cyber insurance will not insure against intentional negligence or illegal acts. “The primary party can outsource a degree of risk to the operator, but not all of it,” says Pinnock. “In South Africa, your home insurance, for example, depends on how well you’ve already protected your home. Do you have an alarm system? Other obstacles and controls? If you haven’t met some basic requirements and your house gets robbed, insurance won’t pay out. Cybersecurity insurance operatess the same way.” Responsible parties therefore cannot rely on cyber insurance to cover them for deliberate non-compliance.
An important note: under POPIA, responsible parties can still be considered compliant — and avoid penalty — if they fall victim to a data breach, so long as they can prove that they took all reasonable steps to prevent it. So, the most critical thing you can do to prevent legal, financial and reputation damage is to fully and correctly commit to POPIA compliance.
 “Chapter 11, Section 107: Penalties,” POPIA
 “What are the GDPR Fines?” GDPR
 “14 Biggest GDPR Fines of 2020 and 2021 (So Far),” Tessian
 “Cost of a Data Breach Report 2020,” IBM/Ponemon
 “Chapter 3, Section 17: Security Measures on Integrity and Confidentiality of Personal Information,” POPIA
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!