Over the past decade, data privacy regulations have evolved globally, with the European Union’s General Data Protection Regulation (GDPR) being one of the most significant. Many other countries and regions have followed suit with similar regulations, including South Africa, which first introduced the Protection of Personal Information (POPI) Act, or POPIA, back in 2013.
While some elements of the POPI Act have already taken effect, others are slated for a deadline of July 1, 2021. For businesses in South Africa and nearby countries such as Botswana, Lesotho, Namibia, and Swaziland, ensuring compliance is essential moving forward, and Virtru can support your compliance needs by safeguarding your customers’ private data.
Here’s what you need to know about the POPI Act, its objectives, and how you can protect sensitive data that falls under the act.
What is the POPI Act?
In 2013, South Africa passed the Protection of Personal Information Act (POPI). Although it predates the GDPR, it’s often referred to as South Africa’s GDPR equivalent.
The POPI Act aims to:
- Formalize the country’s Constitutional belief in a right to privacy by requiring businesses to protect personal information that is entrusted to them
- Protect individuals from security breaches, theft, and discrimination
- Safeguard the free flow of information within and outside South Africa
- Regulate how personal information is processed
- Give individuals rights and remedies to protect their personal information from processing that is not in accordance with the POPI Act
- Establish voluntary and mandatory measures to ensure compliance and to enforce and realize the rights protected by this law.
According to the POPI Act, “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”
This is well-aligned with GDPR, which states, “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected.”
The POPI Act governs how the South African population’s personal information can be used. When they share their personal data with a business or other entity, the sharing of that data is subject to certain conditions and controlled by an information regulator. The role of the information regulator is to make the conditions for processing personal information understandable to the public, to promote the protection of information and to remind organizations of their obligations under the law, particularly by publishing codes of conduct. Non-compliance with the law is punishable by fines and imprisonment.
Ultimately, when South African citizens and residents entrust their personal data to an organization, that organization is responsible for protecting it. By encrypting that data and ensuring it remains protected across its entire lifecycle—from creation of a record to storing, sharing, and beyond—organizations can ensure that individuals’ data remains secure.
Virtru’s data protection solutions empower organizations to protect data subject to the POPI Act, helping support their POPI Act compliance needs.
When does the POPI Act take effect?
The POPI Act has been implemented over the course of several years, as some elements of the Act required time for operational readiness. According to a press statement from South Africa’s President, Cyril Ramaphosa, “The Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014. Some of these sections include those relating to the establishment of the Information Regulator. The members of the Information Regulator took office on 1 December 2016.
“Many of the remaining provisions of the Act could only be put into operation at a later stage as they require a state of operational readiness for the Information Regulator to assume its powers, functions and duties in terms of the Act.”
The last of those provisions are slated to take effect on July 1, 2021.
What kinds of data does the POPI Act cover?
The POPI Act applies to all personal information, regardless of what form it takes. This includes everything from paper files to digital files, audio and video recordings, and WhatsApp messages.
How can I protect data subject to the POPI Act?
For one large South African organization, it was imperative to take action quickly to ensure compliance with the POPI Act. With Virtru, they were able to safeguard their customers’ most sensitive personal information quickly and easily by deploying Virtru’s data protection for Gmail. With Virtru, deployment across the enterprise was quick and easy, and because the user experience is seamless, the organization didn’t have to spend much time getting employees up to speed. It just works, and the organization can now rest assured that they’re supporting their compliance needs.
By encrypting sensitive personal information and preventing unauthorized access, organizations can protect the data subject to the POPI Act. With Virtru’s data-centric protection, which wraps each piece of information in a layer of encryption, you can ensure that your customers’ data remains secure and under your control at all times.
One key way that information is often shared unsecurely is through email. Generally, native email security is not enough to ensure that data remains truly safe—and once that information is shared, it is out of your control. If, for example, an employee accidentally types in the wrong email address when sharing a file containing sensitive information, that data is out of your hands and vulnerable to misuse.
However, with Virtru, you can protect sensitive data shared via email (including Gmail and Outlook), as well as data that flows through applications like Salesforce, Zendesk, SAP, and Workday.
Our data protection solutions are built on the Trusted Data Format, a secure method of encryption that travels with the data, everywhere it goes, so you can always maintain control. In the example of data that’s accidentally shared to the wrong address, with Virtru, you could revoke access to that email (as well as see whether that email was opened), mitigating data loss and giving you the confidence to share data in accordance with the POPI Act.
Want to learn how Virtru can support your POPI Act compliance objectives? Contact Virtru to start the conversation.
Every single organization stores and uses PII, either on their employees or customers. To better understand how to protect the PII within your organization and beyond, download a copy of our PII protection checklist.
