The Protection of Personal Information Act (POPI) is due to come into effect in South Africa in 2018. There is no doubt that this act will have serious implications for a great number of businesses and how the data in their possession is handled and processed.
The Act has not been placed into full effect just yet as it’s awaiting the president’s final approval. The president has, however, enacted a provision of the act in effect, namely installing a regulator that can oversee and protect the provisions named in POPI.
“The data held by many organisations is highly sensitive and needs to be handled as such. The Act is quite strict on what information is gathered, how it is accessed and stored and who has access to that information,” explains Anvee Alderton, channel manager at Trend Micro Southern Africa.
The Act also calls for transparency in the event of the data being compromised in any way. Access to the information has to be tracked to prevent unauthorised individuals from obtaining the data. It also places the responsibility of the information in the hands of those who have collected it and those who store it.
“In a digital society such as ours, it’s vital that information be safeguarded, that access to this information be controlled and we know who to hold accountable if there has been a breach,” notes Alderton.
South Africa’s POPI Act is in line with international regulations surrounding data gathering, storage and protection, most notably GDPR, or Europe’s General Data Protection Regulation. Both POPI and the GDPR seek to unify and strengthen data protection. Both pieces of legislation are driven by the need to place control of personal information, how it is collected, stored and used back into the hands of the citizens that it belongs to.
What kind of personal information is going to be protected under POPI? Names, addresses, ID numbers and telephone numbers are the obvious pieces of data that fall under the umbrella of personal data. The Act extends its protection to online chats, financial information, employment history, photos, recordings and video recordings. The Act also lists medical history, private correspondence, education information, criminal records and any information on race, religion and political affiliation.
“Data that falls under POPI includes the data relating to various organisations and companies. It also takes into consideration information used in international transactions. The Act has been well thought out and is a necessity in today’s information driven world,” says Alderton.
Businesses and organisations in contravention of the Act, may face fines of up to R10-million and individuals and organisations are allowed to have access to their own personal information. Data collection companies and companies that store data can be held accountable if there is a breach and, once again, face heavy fines.
“Trend Micro offers integrated DLP solutions for email, web and endpoint channels. This ensures that sensitive customer and employee personal information does not leave the customer’s environment. There may be occasions when customer information needs to be sent to a third party, and secure data transport through encryption is essential. Trend Micro also offers full disk encryption which will assist a customer in meeting POPI compliance,” explains Alderton.
“POPI is there to protect data — all data. What it means is that there may be companies that will need to run a tighter ship as far as security and information storage goes. Ultimately, it’s a chance to ensure that the right policies, procedures, security and people are in place in order to keep information safe,” he adds.