The South African Protection of Personal Information Act (POPIA) is focused on data protection rights for data subjects of South Africa — and provides South African citizens with better control over their personal data. The POPIA also requires any organization that processes personal information in South Africa to protect that data.
What Is POPIA?
The final version of South Africa’s POPIA — which becomes enforceable on July 1, 2021 — is the latest major data privacy law in the world to be modeled closely after the EU’s GDPR.
The law gives citizens — or data subjects — enforceable rights over their personal information, establishes eight minimum requirements for data processing (e.g. introducing consent as a required legal basis), creates a broad definition of personal information for comprehensive end-user protection, and forms an Information Regulator (SAIR) to enforce and supervise the provisions.
Personal Data and Sensitive Personal Data
POPIA applies to any company or organization processing personal information in South Africa, who resides in the country, or who does not reside in the country but makes use of automated or non-automated means of processing within South Africa.
POPIA defines personal information broadly as any information relating to not only a living person but also a company or legal entity.
Personal data under both POPIA and GDPR includes data that identifies a specific person or data that makes a person recognizable. While POPIA also includes a similar definition of personal data and special personal information (or sensitive data in the GDPR), the South African law sets some strict requirements that assign criminal offenses to sensitive and vulnerable data.
POPIA defines data processing as the collection, receipt, recording, organization, storage, merging, linking, and more, of personal information. POPIA allows companies and organizations to process data if it’s deemed in the user’s “legitimate interest,” which can create ambiguity for possible abuse and enforcement difficulties.
POPIA also creates eight conditions for lawful data processing, in which the consent of the data subject is critical. It is up to websites, companies, and organizations (“responsible parties”) to prove that their processing is lawful — or that the correct consents have been obtained from users. POPIA defines consent as any voluntary, specific, and informed expression of choice.
Data Transfer & Sharing
Transfers of personal information from within to outside of South Africa are prohibited by POPIA — with the following exceptions:
- cross-border transfers are permitted to a third party that is subject to legal or corporate data protection rules substantially similar to its own.
- certain types of transfer are exempt from the conditions, such as when an individual has consented to the transfer or where the transfer is necessary to fulfill a contract.
POPIA creates nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correct, and right to delete.
Similar to GDPR, citizens may request confirmation of whether or not they process their personal information for free. Unlike the GDPR, the POPIA allows organizations to charge a fee for providing individuals with a copy of the information a company holds on them. Orgs that choose to do so must give a written estimate of the cost beforehand.
The POPIA also requires that organizations must respond to any such DSAR request within a reasonable time. The GDPR, on the other hand, is more specific and states that, under normal circumstances, orgs must respond to a data subject access request (DSAR) without delay — and within a month at the latest.
Fines, Penalties, and Prison, Oh My!
The financial ramifications for a POPIA violation have a maximum penalty of $10 million ZAR (South African rands), which is much smaller than a GDPR fine maximum of €20 million or 4% of annual global turnover. However, European enforcement authorities may consider the degree of cooperation an organization shows during their investigations.
As an added layer to the South African legislation, individuals can be held criminally responsible and sentenced to prison for up to 10 years in more severe cases.
Compared to POPIA, GDPR sanctions focus more directly on non-compliance. POPIA sanctions apply to non-compliance and a range of other offenses, including hindering, obstructing, or unlawfully influencing enforcement officials failing to attend court hearings lying under oath.
With BigID, companies can avoid these penalties and get ahead of POPIA compliance challenges:
- Discover data: Identify personal data and classify sensitive data.
- Contextualize data: Correlate relationships between data by bringing context to personal data and sensitive data.
- Label and tag data for legal purposes: Ensure that data is being processed in agreement with privacy regulations.
- Minimize duplicate or sensitive data: Enable data minimization with duplicate identification and apply retention rules based on a legal purpose.
- Manage data risk: Discover, classify, and map data to apply controls for breach risk reduction.
- Automate data rights fulfillment: Automate manual fulfillment of individual data access and deletion requests.
- Report on whose data they have: Enable correction workflows and validate whether sensitive data is being captured.
- Detect out-of-policy, cross-border data transfers: Track data access, usage, and transfer violations across the organization for immediate action.
Any organization processing the personal data of South African residents should ensure they are in compliance with POPIA and pay close attention to any advice released from regulators over the next few months.
See how BigID can help you ensure your organization’s compliance with POPIA.