South Africa’s Protection of Personal Information Act (POPIA)
POPIA enhances the privacy rights of personal information processed within South Africa to the rights of the individual, and the POPIA principles are factored in and include:
- Purpose specification
- Processing limitation
- Information quality
- Data subject participation
- Personal impact assessments
- Security Safeguards. Condition 7 apply through appropriate, reasonable, organisational and technical measures.
Security controls and industry best practices are essential for compliance with the POPI Act / POPIA. The security controls are also necessary for protecting your organisation against a broad range of information threats and vulnerabilities. Its simplistic form translates to applying Information Security Management Systems, standards or frameworks.
So, what are appropriate, reasonable, organisational and technical measures?
The appropriate and reasonable measures come down to identifying the personal information risks your organisation is exposed to and managing these risks, and how you define, mitigate, and manage these risks.
The most widely accepted Information Security Management Standard (ISMS) found explicitly in ISO27001 and ISO27701.
The Challenges Of POPIA
- Privacy challenge – The GDPR, POPIA and other privacy regulations require organisations to implement measures to ensure technical and operational controls for securing data.
- Security challenges – POPIA requires the confidentiality, integrity and accountability (CIA) of data, i.e. data secured. Each data set requires identifying where the data is and stored and who has access to the data.
- Governance challenge – Implementing an ISMS or a PIMS to manage personal data, incident response procedures and data retention periods defined by the organisation.
- Ongoing responsibility challenge – organisations have often underestimated the effort required to implement the necessary measures to satisfy POPIA. POPIA is an ongoing initiative, and at all times, your organisation must be able to demonstrate compliance as your business evolves.
The Benefits Of POPIA
- Increase reliability and reputation – POPIA improves reputation with stakeholders and third parties.
- Customer and third party confidence – stakeholders are confident the information and the systems protecting the privacy data adhere to industry best practice security controls.
- Increase in organisation resilience – measures implemented can protect your organisation against cyber threats.
- Improve data management – minimize the stored privacy data, and refine data management processes.
What needs to be assessed
Core focus areas for evaluation during the assessment:
Why Choose Us
POPIA requires organisations to demonstrate compliance. Our experienced security consultants have an in-depth knowledge of POPIA technical and operational measures and can help you implement information security management systems that support your business objectives and demonstrates POPIA.
Frequently Asked Questions
Article 4 (1) of GDPR defines personally identifiable information (PII) as any data that can be used to identify a specific individual. In terms of POPIA, PII is defined broadly and includes all information related to both an identifiable, living, and natural person, and where applicable, an identifiable juristic person or legal entity:
- Contact details: email, telephone, address etc
- Demographic information: age, sex, race, birth date, ethnicity
- History: employment, financial, educational, criminal, medical history
- Biometric information: Blood type etc
- Opinions of and about the person
- Private correspondence
Broadly processing can mean anything done with the personally identifiable information (PII), Including collection, Usage, Storage, Dissemination, Modification and Destruction (whether such processing is automated or not).
It would depend on your retention policies and procedures; however, the principles of the act include:
Limitation – Process only as much as needed for no longer than necessary
Purpose – only process for a specific purpose
Processing – consider original purpose before passing on information or re-purposing
Quality – ensure information is relevant and up to date
Openness – clearly communicate why this information is processed and who sees it
Participation – allow the data subject access
Accountability – the party that determines the means of, and purpose for processing is ultimately responsible
Security – take reasonable measures to protect the personal information
Transparency – allow the subject of the information to see it upon request.
A Data Subject is any party to whom the personal information relates. Data Controller is a responsible party and is a public or private body that determines the purpose and means for processing personal information of a data subject. Finally, Data Processor is a party that processes personal information on behalf of a responsible party, without coming under the direct authority of the responsible party.
SecuriCentrix’s security services are designed to provide the vital assistance needed to make tangible improvements to your organisation’s cyber security posture.
Expert security services and solutions tailored to your needs