POPI and your data security

“I have an advisory business serving private and corporate clients. Our client information is stored on a central server in our offices. I have been advised to review our data security due to the growing risk of being hacked and the requirements of POPI to protect the personal information of my clients. What does POPI require of me in this regard?”

The Protection of Personal Information Act 4 of 2013 (“POPI”) aligns South Africa with the international position in respect of information and data protection. Although POPI has not yet fully come into operation, it is only a matter of time before it does.

An important aim of POPI is to protect persons from suffering damage and harm by requiring entities and persons who receive our personal information to protect such information. POPI therefore places an important responsibility on parties who collect, store, use and destroy personal information (“responsible parties”) and provides rights and remedies to persons whose rights have been infringed (“data subjects”).

POPI obliges responsible parties to ensure the integrity and confidentiality of personal information in their possession. Data security is promoted by appropriate and reasonable technical (electronic) and organisational (physical) measures to prevent the loss of, damage to, unauthorised destruction of, unlawful access to and/or the unlawful processing of personal information. It is important to understand that data security is not restricted to personal information that is processed electronically (technical). Even physical records containing personal information of data subjects (organisational) may need to be secured.

Information security breaches in the modern business environment may occur through various means, including theft, deliberate attacks on electronic systems, unauthorised use of personal information of data subjects by an employee, accidental loss or even equipment failure. Although POPI does not specify the technical requirements that must be met, it will be the responsibility of each responsible party to ensure that they have the necessary and appropriate technical and organisational measures in place to protect data. 

In the event that a responsible party’s data security safeguards are compromised and unauthorised access to personal information ensues, responsible parties will be required to notify the Information Regulator as well as the affected data subjects as soon as is reasonably possible after the discovery of the compromise. The notice will also have to contain sufficient information for data subjects to adequately protect themselves against any potential consequences of the compromise in data security.

A responsible party will also have to contain the breach, aim to recover any compromised data (if possible), assess the risks associated with the breach, including the potential harm for data subjects and conduct an investigation into the cause of the breach and the effectiveness of the response thereto.

Responsible parties will therefore carry an extensive burden in terms of POPI in respect of their network and data security and it would be advisable to enlist the help of a technical expert or POPI specialist to review your current data security systems and develop the necessary security plans and procedures for your business.

May 15, 2018
International: Privacy by Design – prioritizing security in business

International: Privacy by Design – prioritizing security in business

In today’s current digital space, safeguarding privacy and ensuring that your business is compliant with the various cyber laws and data privacy regulations is crucial to ensure that business operations are well protected. In this article, PR de Wet and Mishka Cassim, from VDT Attorneys Inc., seek to address some of the most important issues companies face and need to consider on a global scale when addressing privacy concerns.

South Africa: POPIA and prior authorisation to process personal information

South Africa: POPIA and prior authorisation to process personal information

The Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’) requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With POPIA compliance deadlines fast approaching PR de Wet and Hayley Levey, from VDT Attorneys Inc, analyse the POPIA prior authorisation regime.

Sign up to our newsletter

Pin It on Pinterest