Non-compliance with POPIA can lead to severe penalties. The act makes provision for fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the breach.
Almost all organisations are faced with the challenge of achieving and maintaining compliance with the Protection of Personal Information Act No. 4 of 2013 (POPI Act).
The Act came into effect 1 July 2020. Companies will have 12 months to comply with the conditions of the act. The act will become enforceable on the 1st July 2021. Non-compliance with POPIA can lead to severe penalties. The act makes provision for fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the breach. This is enough to make anyone sit up and take notice.
- What constitutes as personal information under the POPI act?
- Identity or passport number
- Date of birth and age
- Phone numbers
- Email address
- Online messaging identities
- Physical address
- Gender, race and ethnic origin
- Photos, voice recordings, video footage
- Marital relationship and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history
- Membership of organisations
The impact of technology and protecting your personal information – be careful of what you share on social media. Due to technology convergence, there is an ongoing opportunity for cyber-attacks. Everyone with a cell phone, iPad and laptop are aiders
and abettors to cybercriminals, who are constantly on the lookout for opportunities. Every device offers a hacker an opportunity to get into personal information. Social media sites contain a host of personal information, which, in criminal hands, can cause serious harm to both individuals and organisations. Be careful what information you share on such platforms. Every person has a duty to protect him or herself, and the POPI Act cannot protect one if one doesn’t care to protect oneself.
Who does the act apply to?
The Act applies to anyone who keeps any type of records relating to the personal information of anyone unless those records are subject to other legislation which protects such information more stringently. It, therefore, sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available. The Act will also relate to records that you already have in your possession.
Your organisation have the following responsibilities when protecting personal data in your procession. Remember, ignorance of the law is no excuse and companies need to update IT systems and start training and educating staff. Herewith some of the essential tick list items your organisation should look at:
- Locate personal data that currently exists within the various storage repositories and tools used for file storage and
collaboration including on-premises files shares and cloud sharing applications including Microsoft Office 365—SharePoint,
OneDrive, and Exchange, plus Dropbox, Nutanix Files and Windows file shares.
- Appoint a Popia team: Appoint either a dedicated POPIA compliance officer or a full team, depending on the size of your organisation.
- Upskill personnel: Train the personnel identified and ensure that your IT service provider is compliant. There is Popia training available for you on the Knowbe4 console.
- Automatically classify documents based on the presence of personal or other sensitive data governed by POPI and other regulatory guidelines.
- Set business rules with your classifications to restrict actions that can be taken with classified documents such as print, email, save as or downloading to prevent data leakage. Prevent unlawful access to or unlawful processing of personal information.
- Ensure that documents accessed and shared in group messaging and chat tools like Microsoft Teams and Yammer have the same data security restrictions as other collaboration tools.
- Restrict collaboration between users in different geographical locations or subsidiaries to meet regulatory guidelines (information barriers).
- Automatically adapt security controls to the changing risk profile of data like users and third parties access and collaborate across multiple locations, organizational and geographic boundaries, and devices. Anybody processing personal information on behalf of an employer must have the necessary authorisation from the employer to do so.
- Track access to regulated personal data for auditing and compliance purposes. Consumers have a basic set of rights when it comes to their personal information:
– The RIGHT to LAWFUL DATA PROCESSING – You MUST have and divulge a specific, lawful purpose for storing and processing a customer’s data.
– The RIGHT to CONSENT (or NOT) – You MUST allow consumers to agree to, refuse to, or withdraw consent to the lawful use of their data.
– The RIGHT to ACCESS – You MUST provide consumer access to their data upon request and do so in a timely manner.
– The RIGHT to BE FORGOTTEN – You MUST comply with a consumer’s request that you purge and completely erase their personal data.
– The RIGHT to DATA PORTABILITY – You MUST allow a consumer to “take their data and leave” and provide the data in an open, readable format.
– The RIGHT to PRIVACY BY DEFAULT – You MUST assume a consumer’s data is private until consent is granted and ensure it is securely processed from end to end.
– The RIGHT to NOTIFICATION – You MUST alert consumers in a timely manner when their data has been affected by a security breach.