PoPI

The Protection of Personal Information Act ( PoPIA ) was signed into South African law in late 2013 and is finally coming into full effect in June 2021

The focus, for many, has been the security implications of ensuring that personal data is not accessed without authorisation. The PoPI Act, however,  goes much further than simply defining how personal data may be captured and used. PoPIA governs the end-to-end life cycle of personal data within any company, irrespective of the size.

The Act provides for fines of up to R10 million, or jail terms of up to ten years, for non-compliance.

What is Personal Information?

PoPIA defines personal information as any data that may identify a natural, legal or juristic person, or distinguish that person from another. This includes aspects as diverse as religion, medical history, bio-metrics, online screen names, or even opinions of, or about, a third party.

Unlike GDPR, the PoPI Act applies to the data of any legal entity – from a natural person to a company, trust or non-profit institution. As such PoPIA extends beyond customer data and governs the use of other party's data, such as data related to employees, suppliers and partners.

Data management principles are woven directly into PoPIA

PoPIA from a data management context

How does our data management practice help with PoPIA Compliance?

Data Governance – identify and enrol key stakeholders to define, document, communicate and enforce acceptable use policies for personal information within your organisation.  Data policies, responsibilities and processes must be in place to comply with various conditions of the PoPI Act, as summarised below

  • Condition 1 Accountability
  • Condition 2: Processing limitation
    • Data collection policies
  • Condition 3 & 4: Valid Purpose
  • Condition 3: Retention policies
  • Condition 5: Data quality standards and rules
  • Condition 7: Security policies
    • Breach management process
    • Data sharing agreements

Data Quality – ensure that personal data used within your company is of an acceptable level of quality and measure compliance with data governance policies in order to comply with POPIA condition 5.

  • Condition 5: Data quality standards and rules

Master Data Management – ensure that you can provide an accurate indication of what data you are holding about each subject, irrespective of the channel they use to communicate with you, and that you are able to comply with customer requests to opt-out of marketing communications, as required by the below PoPI conditions

  • Condition 5: Data Quality standards and rules
  • Condition 6: Data subject notifications
  • Condition 8: Subject access

Metadata Management - understand where sensitive data is stored, and how it moves through the organisation and classify and tag personal information to ensure data privacy

  • Process register
  • Personal data inventory
  • Data quality metrics

Data Security – identify and control where personal data is held,  who has access to it and whether this access is appropriate.

  • Condition 3 & 4: Valid Purpose
    • Role-based security at the column level
  • Condition 7: Security policies
    • Section 19, 20, 21: Dynamic encryption and masking at rest and in movement
    • Section 20, 21: No sharing of keys with 3rd parties including cloud providers
    • Section 22: Real-time monitoring and behaviour-based alerts 

Data privacy

Data privacy

Govern, Protect and Monitor your Personal Data

Explore

PoPIA Accelerator

PoPIA Accelerator

Fast-track compliance with pre-built operating model

Explore

Analyst Report

Analyst Report

Data Privacy, Data Security, and Data-Related Compliance

Register Free

Automated Data Classification

Automated Data Classification

Automated discovery of PII and sensitive data

Explore