It goes without saying that data is an invaluable asset to any company. On the other hand, privacy is an invaluable asset to us as individuals. In order to reconcile these two points, a variety of regulations have imbued individuals with the right to data privacy. In recent years, the most prominent example has been the EU’s General Data Protection Regulation (GDPR), which has been in effect since 2018 and has evolved from being just a European data privacy law to becoming a global data privacy standard. It has influenced legislation across the world including California's CCPA, Canada's Digital Charter Information Act, Brazil 's LGPD, and India's PDPB, just to name a few. More recently, South Africa has promulgated its new Protection of Personal Information Act (POPIA), which will come into effect on 1 July 2021. This new data privacy regulation aims to protect South Africans from fraud and invasions of their privacy by protecting their personal information and preventing identity theft.
Most data privacy laws have similar elements that work toward keeping personal data safe, the most common of which are breach notification requirements and requirements to apply some kind of cryptography to protect sensitive data. Generally speaking, POPIA is much less demanding than the data privacy standard bearer GDPR, but there are key requirements and differences that organisations operating within South Africa should take note of. Here are some of the most frequently asked questions regarding POPIA:
Does POPIA apply outside of South Africa?
No, if your organisation doesn't physically operate within South Africa, you're all set and can stop reading right here; there's no need to block all traffic to your website from South African IP addresses and reroute them to a generic apology page telling them how much you value their privacy and regret not being able to serve them (who's bitter? I'm not bitter). This is a significant difference to GDPR, which applies to organisations worldwide that collect and process the personal data of EU data subjects, regardless of where they're located. However, if your business is domiciled in de Republiek van Suid-Afrika, you'll want to keep reading.
What are the penalties for non-compliance with POPIA?
POPIA includes both fines for organisations that violate the law as well as criminal charges for individuals who are personally responsible. These personal criminal charges can result in a prison sentence of up to 10 years, which may act as a greater deterrent for larger organisations than the fines, which are capped at 10 million ZAR (approximately 550,000 EUR).
Does personal information have to be encrypted or pseudonymised?
POPIA requires that "reasonable technical and organisational measures" be taken to prevent the loss of or unauthorised access to personal information. Granted I am not a lawyer, but storing and transferring personal information in clear text is not a reasonable measure in my estimation. Given that breaches are virtually inevitable and often go undetected for months at a time, a reasonable course of action is to protect sensitive data throughout its lifecycle in order to minimise exposure, accidental or otherwise.
Is company data protected under POPIA?
Yes, in this regard POPIA is broader in scope than similar data privacy laws in that it applies to both “juristic” and “natural persons,” meaning that data about companies and organisations is also protected. This can have implications not only for prospect accounts, but also for partners and suppliers.
Does POPIA require a Data Protection Officer (DPO)?
It doesn't require a DPO per se, however POPIA introduces a similar role called the Information Officer. The Information Officer reports to the CEO of the company and their day-to-day responsibilities differ somewhat to those of a Data Protection Officer under GDPR. For instance, the Information Officer is responsible for encouraging compliance through the development, implementation, and monitoring and maintaining of a compliance framework, while the Data Protection Officer educates a company and its employees about compliance by training staff involved in data processing.
How quickly must data breaches be reported?
While no timeframe is defined, any breaches of POPIA must be reported "as soon as reasonably possible," which could be interpreted two ways. Many similar laws have a 72-hour leniency period, so is 72 hours considered a reasonable response time or will the authorities in South Africa expect a quicker response? In any event, the best bet is to have a response plan in place ahead of time.
Conclusion
Companies should always be familiar with the data privacy laws/regulations of the country they operate in. Especially with the massive shift towards digital transformation, companies need to spend more time not only thinking about how to secure their data to be compliant to their country’s privacy law – especially with the possibility of a potential crossover. Remember, there can be no data privacy without data protection.