South Africa Protection of Personal Information Act
Pointer

POPIA aims to enhance the protection of personal information processed within South Africa and enable individuals to enforce their rights to privacy as set out in the bill of rights.

Pointer

POPIA applies to a broad range of data processing activities and it applies to both South Africa and foreign organizations that process personal data within South Africa.

Genesis:

  • Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy
  • The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information
  • The State must respect, protect, promote and fulfill the rights in the Bill of Rights
Pointer

POPIA applies to the processing of personal information entered in a record by or for a responsible party / data controller that is domiciled in South Africa and that makes use of automated or non-automated means to process the personal information. It Would also apply if the organization is not domiciled in South Africa but makes use of automated or non-automated means in South Africa unless those means are used only to forward personal information through South Africa.

Pointer

Further, legal entities (corporations) have equal data protection rights as individuals. Any private correspondence is considered personal information.

Essential ingredients of Protection of Personal Information Act

Personal information must only be collected and used for clearly specified reasons by organizations. They shall not use personal data for purposes that are incompatible with the intended aim. It implies that there are various criteria specified for the lawful processing of personal information. The purposes are as follows:

  • Accountability: Necessitates users to accept responsibility for how you handle personal data and how you adhere to the other principles .
  • Processing limitation: The requirement is intended to ensure that organizations are upfront and honest about why you are gathering personal data.
  • Purpose specification: Necessity that personal data be acquired for specific, explicit, and legal purposes and not be used in a way that is incompatible with those purpose.
  • Further Processing: Processing is only authorized with the customers' explicit consent or if the purpose is compatible with the original purpose for which the data was processed.
  • Information quality: Accuracy of personal information to be checked before use.
  • Openness: Inform the data subject's of purpose of collection of personal information.
  • Security Measure: Maintain the integrity and confidentiality of personal information by providing adequate security measures.
  • Data Subject Participation: Data subjects have the right to request access to, correction of, and/or deletion of any personal information that is stored about them.
The Trust Challenge

Key challenges in brief:

POPIA mandates the organization to maintain details of all personal data processing operations.

POPIA regulations, among other things, stipulate that a personal information impact assessment ought to be conducted to ensure that adequate measures and standards exist.

Organizations can transfer personal data overseas under limited circumstances such as cross border transfer is lawful only if the overseas jurisdiction provides an adequate level of privacy protection, the data subject consents to transfer or the transfer is necessary for the performance of a contract.

POPIA stipulates that an organization should not retain personal data for longer than is necessary to achieve the specified purpose of processing of data. This is subject to the exception of the retention period enshrined under the POPIA. Post mandatory retention period, it has to be erased / deleted.

  • Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss, damage to, or unauthorized destruction of; and unlawful access to, personal information.
  • In terms of section 22 of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established.
  • The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the organization information system.

Section 11 of POPIA, the processing of a data subject's personal information for the purposes of direct marketing by means of unsolicited electronic communications is prohibited unless the data subject has given its consent, or the email recipient is an existing customer of the responsible party. The responsible party may only approach a data subject once in order for the data subject to opt in to receive marketing information. The Regulations to POPIA contain a prescribed form to be used when seeking this opt-in.

Data subjects have a series of rights conferred upon them by the PDPA, for instance right to be informed, right of access, right to rectify, right to erase, right to restrict, right to object, right to be notified, right against automated processing decisions, right to complain, right to civil proceedings.

Win-Win Situation

Solutions:

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key challenges in brief:

Pointer

Data processing records:-

POPIA mandates the organization to maintain details of all personal data processing operations.

Pointer

Personal information impact assessment:-

POPIA regulations, among other things, stipulate that a personal information impact assessment ought to be conducted to ensure that adequate measures and standards exist.

Pointer

Cross-Border Data Transfers:

Organizations can transfer personal data overseas under limited circumstances such as cross border transfer is lawful only if the overseas jurisdiction provides an adequate level of privacy protection, the data subject consents to transfer or the transfer is necessary for the performance of a contract.

Pointer

Data Retention/Minimization/Deletion:

POPIA stipulates that an organization should not retain personal data for longer than is necessary to achieve the specified purpose of processing of data. This is subject to the exception of the retention period enshrined under the POPIA. Post mandatory retention period, it has to be erased / deleted.

Pointer

Data Breach Notification:

  • Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss, damage to, or unauthorized destruction of; and unlawful access to, personal information.
  • In terms of section 22 of POPIA, where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, the responsible party must notify the Information Regulator and the data subject, unless the identity of such data subject cannot be established.
  • The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the organization information system.
Pointer

Consent Management:

Section 11 of POPIA, the processing of a data subject's personal information for the purposes of direct marketing by means of unsolicited electronic communications is prohibited unless the data subject has given its consent, or the email recipient is an existing customer of the responsible party. The responsible party may only approach a data subject once in order for the data subject to opt in to receive marketing information. The Regulations to POPIA contain a prescribed form to be used when seeking this opt-in.

Pointer

Fulfillment of Data Subject Rights:

Data subjects have a series of rights conferred upon them by the PDPA, for instance right to be informed, right of access, right to rectify, right to erase, right to restrict, right to object, right to be notified, right against automated processing decisions, right to complain, right to civil proceedings.

Win-Win Situation

Solutions

Ardent Privacy’s Solutions relating to the above mentioned challenges:

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us