Guide to South Africa’s Protection of Personal Information Act (POPIA)

In this guide:

  1. Key provisions of South Africa’s POPIA
  2. Review business compliance practices
  3. Why Privacy Bee matters today

Key provisions of South Africa’s Protection of Personal Information Act

The Protection of Personal Information Act (POPIA or “POPI Act”) is South Africa’s premier data protection law enacted by Parliament in 2020. Essentially, the POPIA aims to safeguard individuals from potential harm by securing their personal data and granting them with rights to review and remediate any information held by an organization. The primary objective of the law is to prevent financial and identity theft by establishing privacy as a fundamental human right. To accomplish this goal, the POPIA establishes specific conditions that must be met for the lawful processing of someone else’s personal data.

South Africa designed this law to align with international standards and best practices, so those well-versed in global data privacy laws will notice many provisions within POPIA align closely the European Union (EU) General Data Protection Regulation (GDPR). The POPIA applies to any person or organization processing personal information, including large corporations and government entities, and requires the appointment of an Information Officer (IO), similar to how bigger organizations in other countries must appoint a Data Protection Officer (DPO). Much of the law is written in this similar fashion, but using slightly different terminology.

Before diving into the specific provisions of the law, it is important to understand how South Africa names and defines the three different parties involved in data collection and processing:

  1. The data subject, which is the person whose information is being collected, processed and/or transferred. This is standard terminology used around the world.
  2. The responsible party, which is the person or organization determining the why and how the data is being used. These are referred to as “controllers” by other international laws.
  3. The operator, which is the person or organization processing personal information on behalf of the responsible party. These are referred to as “processors” by other international laws.

The responsible party has numerous obligations placed upon them by the POPIA, which must be cared for proactively. There are eight key conditions that must be met for lawful processing, outlined later in this article to guide businesses towards compliant practices since they’re really only relevant for business organizations. Importantly for consumers, the law also outlines specific rights they now have to safeguard their own personal data. All of these rights and provisions have an extraterritorial scope, which means it applies to all responsible parties even if they’re located outside of South Africa.

The specific enumerated rights for individuals included in the POPIA include:

  • Right to be informed (Section 5): Individuals have the right to be informed about the collection of their personal information. This includes being made aware of the purpose for processing, the identity of the responsible party (data controller), and any third parties with access to the data.
  • Right to access (Section 23): Data subjects have the right to request and obtain access to their personal information held by a responsible party. This includes information about the nature of the data being processed, the purposes of processing, and the recipients of the information.
  • Right to correction (Section 24): Individuals can request the correction or updating of their personal information if it is inaccurate, incomplete, or outdated. Responsible parties are obligated to take reasonable steps to correct the information.
  • Right to object to processing (Section 11): Data subjects have the right to object to the processing of their personal information in certain circumstances. If the processing is for direct marketing purposes or based on legitimate interests, the data subject can object and the data controller must stop processing unless there are compelling legitimate grounds for the processing.
  • Right to data portability (Section 24A): Individuals have the right to request the transfer of their personal information from one responsible party to another in a commonly used and machine-readable format. This right applies to information that the data subject provided to the responsible party and where processing is based on consent or a contract.
  • Right to erasure (Section 5): Also known as the “right to be forgotten,” individuals have the right to request the deletion or erasure of their personal information under certain circumstances. This includes situations where the data is no longer necessary for the purpose for which it was collected or if the data subject withdraws consent.
  • Right to restriction of processing (Section 11): Data subjects can request the restriction of processing their personal information under specific conditions. This means that while processing is restricted, the responsible party can store the information but not process it further.
  • Right to non-discrimination (Section 11): Individuals have the right not to be unfairly discriminated against for exercising their rights under POPIA. Responsible parties cannot deny goods or services, charge different prices, or provide a lower quality of service based on the individual’s exercise of their privacy rights.

It’s important to note that these rights are designed to give individuals more control over their personal information and to ensure that organizations handle data in a transparent and responsible manner. Responsible parties are obligated to support an individual’s ability to exercise these rights by implementing processes and procedures to handle requests from data subjects, most commonly known as Data Subject Access Requests (DSARs). If a violation has been identified, then individuals can direct any concerns or complaints regarding their rights to the Information Regulator, which is an independent body established by POPIA to monitor and enforce compliance with the law.

To be fully transparent, businesses shouldn’t be afraid of regulations like POPIA. When viewed as an opportunity instead of a burden, forward-thinking companies can turn data privacy protections into a key differentiator to build trust and brand equity. But compliance is the first step.

Source: The Protection of Personal Information Act Official Document

Review business compliance practices

Despite establishing obligations that can prove challenging for some businesses, the POPIA also presents some opportunities. By complying, businesses demonstrate their commitment to protecting customer privacy and build trust with consumers. Going above and beyond to remain compliant also helps businesses avoid costly data breaches and expensive fines from the Information Regulator.

To get more specific, the POPIA has eight key conditions for businesses to ensure they are processing data lawfully:

  1. Accountability:
    • Overview: The accountability condition emphasizes that the data controller is responsible for ensuring compliance with POPIA. This includes implementing measures to protect personal information and demonstrating ongoing compliance.
    • Key points: Organizations must appoint an Information Officer, conduct regular assessments of data processing activities, and ensure that employees are aware of their responsibilities under POPIA.
  2. Processing Limitation:
    • Overview: The processing limitation condition restricts the processing of personal information to specific, explicitly defined purposes. Any further processing must be compatible with the original purpose.
    • Key points: Organizations must clearly articulate the purpose of collecting personal information and ensure that subsequent processing is consistent with that purpose. Data subjects must be informed of the intended processing before it occurs.
  3. Purpose Specification:
    • Overview: This condition reinforces the idea that personal information should only be collected for lawful and legitimate purpose. Organizations must ensure that individuals are aware of the purpose for which their data is being collected.
    • Key points: Responsible parties must communicate the purpose of processing to data subjects before or at the time of collection. If personal information is used for a new purpose, the data subject’s consent may need to be acquired again.
  4. Further Processing Limitation:
    • Overview: Building on the purpose specification condition, this one restricts further processing of personal information for a purpose that is incompatible with the original purpose.
    • Key points: Organizations must not process personal information for purposes that are unrelated to the initial purpose of collection unless the data subject consents or unless allowed by law.
  5. Information Quality:
    • Overview: The information quality condition emphasizes the accuracy and relevance of personal information. Data controllers must take steps to ensure that the information they process is accurate, complete, and not misleading.
    • Key Points: Organizations must implement measures to verify and update personal information regularly. Data subjects have the right to request the correction or deletion of inaccurate information.
  6. Openness:
    • Overview: The openness condition emphasizes transparency in data processing. Data controllers are required to inform data subjects about the processing of their personal information and make information about their policies and practices accessible.
    • Key points: Organizations must provide information to data subjects about the purpose and extent of processing, the categories of recipients, and the existence of their rights under the POPIA.
  7. Security Safeguards:
    • Overview: This condition focuses on the obligation to secure personal information against the risk of loss, unauthorized access, disclosure, alteration, and destruction.
    • Key points: Organizations must implement appropriate technical and organizational measures to safeguard personal information. This includes encryption, access controls, and regular security assessments at minimum.
  8. Data Subject Participation:
    • Overview: The data subject participation condition emphasizes the rights of individuals concerning their personal information. Data subjects have the right to access their information, request corrections, and object to certain processing activities.
    • Key points: Organizations must establish mechanisms for data subjects to exercise their rights. This includes providing access to information, responding to correction requests, and handling objections to processing.

These eight conditions collectively form the framework for lawful processing under the POPIA, guiding organizations in the responsible and ethical handling of personal information. Compliance with these conditions is essential to ensure that individuals’ privacy rights are respected and protected. This can get complicated quickly without clear guidance from a data privacy professional.

Consider the following best practices if you’re an organization working to ensure compliance with South Africa’s POPIA:

  • Appoint an Information Officer: Designate an IO within the organization. This individual is responsible for ensuring compliance with POPIA, handling data protection matters, and serving as the contact person for the Information Regulator.
  • Conduct a data inventory review: Identify and document all personal information processed by the business. This includes understanding how and where data is collected, processed, stored, and shared within the organization.
  • Perform Data Privacy Impact Assessments (DPIAs): Conduct DPIAs for high-risk processing activities. They help identify and mitigate potential risks to the privacy of individuals, ensuring that data processing activities comply with POPIA.
  • Review + update policies and procedures: Develop and update privacy policies, procedures, and practices to align with the POPIA requirements. This includes clearly defining the purposes for processing personal information, specifying retention periods, and ensuring data accuracy.
  • Implement data protection measures: Set up technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, and destruction. This involves the organization’s entire cybersecurity program plus assessments and any other actions taken to protect data. Document all of these processes in detail, just in case of an unexpected audit at some point in the future.
  • Obtain proactive consent for processing: Get explicit and informed consent from individuals before processing their personal information, unless processing is justified by law or falls under another legal basis specified in the POPIA.
  • Educate and train employees: Provide training to employees on data protection principles, the requirements of the POPIA, and their roles in ensuring compliance. This helps create a culture of privacy awareness within the organization.
  • Establish procedures to support data subject rights: Set up processes for data subjects to exercise their rights, including the right to access, correction, objection, and erasure. Ensure that individuals can easily submit requests and that these requests are handled promptly.
  • Create a data breach response plan: Develop and implement a data breach response plan to promptly and effectively respond to and notify the Information Regulator and affected individuals in the event of a data breach.
  • Regularly review vendor security & management: Assess and manage the data protection practices of third-party vendors and service providers. Ensure that contracts with these entities include provisions for data protection and compliance with the POPIA.
  • Monitor and audit compliance: Regularly monitor and audit data processing activities to ensure ongoing compliance with the POPIA. This includes conducting internal audits and assessments of data protection practices.
  • Engage with the Information Regulator: Cooperate with the Information Regulator and seek guidance when needed. Notify the Regulator of any data breaches and maintain open communication to demonstrate a commitment to compliance.
  • Stay informed about regulatory updates: Stay informed about any amendments to the POPIA or additional guidelines issued by the Information Regulator. Regularly review and update compliance measures to reflect changes in the regulatory landscape.

By taking these steps, businesses can demonstrate a commitment to protecting personal information and complying with the principles and conditions outlined in the POPIA. This not only helps mitigate legal risks but also builds trust with customers and stakeholders who value privacy and data protection.

Under the POPIA, companies must acquire personal information fairly, retain data securely, use it only for agreed purposes, and delete it when no longer needed. Businesses face strict compliance obligations, including appointing information officers, registering with regulators, minimizing data collection, obtaining consent where required, reporting breaches rapidly, and potentially facing severe penalties for non-compliance.

Overall, POPIA compels businesses in South Africa to make data privacy and governance central components when handling individuals’ information. This matches the larger global trend in the right direction for individuals and businesses alike, but it’s absolutely vital for businesses to take action today to avoid getting left behind in the global marketplace.

Why Privacy Bee matters today

Protecting personal data while providing the required information about data usage to all users is imperative for businesses engaged in online service delivery today. New regulations are sprouting up around the word, necessitating more stringent opt-in and opt-out policies and granting consumers more rights. Consumers now have the ability to review and remove their personal data, increasing the accountability of every organization processing personal identifiable information (PII).

Despite the creation of additional regulations in more countries every year, the responsibility still falls primarily on the individual to oversee, assess, update and delete (via DSAR request) their personal data wherever it may be collected and dispersed across the internet. This task becomes a massive undertaking when working to cover an entire organization, rendering it practically impossible for a single person or small team to manage without outside professional help. Yet the identification and subsequent elimination of this data play a pivotal role in deterring cybercriminals from launching dangerous social engineering attacks against an organization.

This is where Privacy Bee emerges as the optimal solution, simplifying the time-consuming process of monitoring and eradicating employee personal data for business leaders. It’s especially effective for executives who are highly visible to the general public. Using sophisticated automation processes backed by a human service team, Privacy Bee substantially reduces a company’s attack surface and mitigates the looming threat of a data breach. Social engineering attacks are the fastest-growing data breach threat, no matter how mature an organization’s cybersecurity program is today. If it isn’t already covered, then threat actors still have access to the PII that is the lifeblood of the most infamous attacks companies have faced this year.

If you are already conducting risk assessments and vendor surveys, kudos to you! However, it is essential to recognize that a vendor is most susceptible to a breach via subpar data privacy management, which you wouldn’t want to bleed into your organization. Privacy Bee not only minimizes the proliferation of your organization’s personal data across the vast digital landscape but also extends its protective umbrella to vendors, helping you ensure 3rd party partners do not serve as the weak link in your security defenses.

You may be wondering: who is doing this, and why?

In the ever-expanding, billion-dollar surveillance industry, Data Brokers and People Search Sites have assumed pivotal roles, reaping record-breaking profits by trading and transferring your organization’s information with obscure and uncontrollable entities. These entities then either publish this information or sell it on again, and suddenly your personal data can easily be found after a quick Google Search. The consequences of private data exposure are far-reaching and pose significant threats if the information can be easily obtained by malicious cybercriminals. If it’s as simple as a quick search to find you or your coworker’s information, then threat actors can launch cyberattacks at scale targeting the most vulnerable team members with emotionally engaging messaging that turn even the most highly-trained professionals into victims. The only way to prevent this is by stopping the data flow at the source, because the consequences are costly.

A solitary data breach leads to massive productivity losses for all affected, expensive remediation efforts, and recurring breach incidents. This isn’t new, and is a predicament that plagues the vast majority of businesses following an initial breach. Industry estimates state as many as 83% of organizations who experienced a data breach go on to experience multiple. That is staggering, and is exactly what Privacy Bee is fighting back against. The first data breach sets off a chain reaction that inflicts short-term damage on your bottom line while eroding brand value and customer trust over time. Furthermore, there are ripple effects to consider, such as heightened employee turnover due to poaching.

Privacy Bee combats external threat actors lurking beyond your organization’s perimeters. By meticulously pinpointing every nook and cranny of the internet where sensitive data resides and swiftly purging it, Privacy Bee closes the data security gap. The service even encompasses dark web monitoring and provides timely data breach notifications if another company falls victim to an exploitation incident and potentially exposes your information in the process.

Our unwavering commitment is deeply rooted in the belief that privacy is an inalienable human right that transcends political discourse and negotiations. This is why Privacy Bee vigilantly monitors user data for security vulnerabilities while holding the surveillance industry accountable. We compel Data Brokers, People Search Sites, and more than 150,000 additional websites to expunge your stored data and opt out of further data collection to protect you, your family, and your entire organization.

Privacy Bee protection covers a wide range of potential threats, including:

  • Data breaches
  • Social engineering attacks
  • Doxxing
  • Identity theft
  • Spam emails
  • Telemarketing calls
  • Cyberstalking
  • Swatting
  • Blackmail

Privacy Bee is a powerful tool for business leaders who want to protect their employee and customer data. In today’s world, where privacy is more important and harder to come by than ever, you need a trusted partner fighting to preserve your personal and organizational integrity.

Learn More
AI Powered Spear Phishing
Previous article

AI Powered Spear Phishing – Why Fighting Fire With Fire Fails
Next article

Guide to Thailand’s Personal Data Protection Act (PDPA)

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account:

By registering, you're agreeing to our Terms of Service

Or prefer to speak with sales?