South Africa’s Protection of Personal Information Act (POPIA)
The Challenges Of POPIA
- Privacy challenge – The GDPR, POPIA and other privacy regulations require organisations to implement measures to ensure technical and operational controls for securing data.
- Security challenges – POPIA requires the confidentiality, integrity and accountability (CIA) of data, i.e. data secured. Each data set requires identifying where the data is and stored and who has access to the data.
- Governance challenge – Implementing an ISMS or a PIMS to manage personal data, incident response procedures and data retention periods defined by the organisation.
- Ongoing responsibility challenge – organisations have often underestimated the effort required to implement the necessary measures to satisfy POPIA. POPIA is an ongoing initiative, and at all times, your organisation must be able to demonstrate compliance as your business evolves.
The Benefits Of POPIA
- Increase reliability and reputation – POPIA improves reputation with stakeholders and third parties.
- Customer and third party confidence – stakeholders are confident the information and the systems protecting the privacy data adhere to industry best practice security controls.
- Increase in organisation resilience – measures implemented can protect your organisation against cyber threats.
- Improve data management – minimize the stored privacy data, and refine data management processes.
What needs to be assessed
Core focus areas for evaluation during the assessment:
Why Choose Us
POPIA requires organisations to demonstrate compliance. Our experienced security consultants have an in-depth knowledge of POPIA technical and operational measures and can help you implement information security management systems that support your business objectives and demonstrates POPIA.
Frequently Asked Questions
Article 4 (1) of GDPR defines personally identifiable information (PII) as any data that can be used to identify a specific individual. In terms of POPIA, PII is defined broadly and includes all information related to both an identifiable, living, and natural person, and where applicable, an identifiable juristic person or legal entity:
- Contact details: email, telephone, address etc
- Demographic information: age, sex, race, birth date, ethnicity
- History: employment, financial, educational, criminal, medical history
- Biometric information: Blood type etc
- Opinions of and about the person
- Private correspondence
Broadly processing can mean anything done with the personally identifiable information (PII), Including collection, Usage, Storage, Dissemination, Modification and Destruction (whether such processing is automated or not).
It would depend on your retention policies and procedures; however, the principles of the act include:
Limitation – Process only as much as needed for no longer than necessary
Purpose – only process for a specific purpose
Processing – consider original purpose before passing on information or re-purposing
Quality – ensure information is relevant and up to date
Openness – clearly communicate why this information is processed and who sees it
Participation – allow the data subject access
Accountability – the party that determines the means of, and purpose for processing is ultimately responsible
Security – take reasonable measures to protect the personal information
Transparency – allow the subject of the information to see it upon request.
A Data Subject is any party to whom the personal information relates. Data Controller is a responsible party and is a public or private body that determines the purpose and means for processing personal information of a data subject. Finally, Data Processor is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party.
SecuriCentrix’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.
Expert security services and solutions tailored to your needs