The Protection of Personal Information Act (also called the POPI Act or POPIA) is a data protection law enacted by the South African Parliament. It governs how local and foreign organizations collect, use, store, delete, and otherwise handle personal information in South Africa.
ManageEngine DataSecurity Plus helps address the requirements of the POPI Act by:
And much more.
Learn how to discover, track, and protect personal data to comply with the GDPR using DataSecurity Plus.
This table lists the various sections of the POPIA that are addressed by DataSecurity Plus.
|What the POPIA section says
|What you should do
|How DataSecurity Plus helps
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant, and not excessive.
|Ensure that you have not collected personal information that is unneeded for your activities.
The personal information you store should be processed only by those employees who require access to it to perform their job.
Data discovery:Locates a data subject's personal information that is stored by your organization. It then creates an inventory, allowing enforcers to ensure that only necessary data is stored.
Lists users who have access to the data along with details on what actions each user can perform on it.
If a data subject has objected to the processing of personal information, the responsible party may no longer process the personal information.
|Find all instances of the data subject's personal information, and take necessary action to stop processing the data.
Keyword matching:Identifies data matching a target keyword, enabling accurate, rapid retrieval of the personal information that has to be deleted.
Once the keyword match is found, enforcers can automate its deletion, quarantine, or carry out a customized action to limit its use by executing batch files.
Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.
|Organizations should not keep personal information for longer than needed, and should perform periodic reviews to identify and address data stored beyond its intended period.
File analysis:Helps build a data retention policy by finding redundant, obsolete, and trivial data in your data stores and removing the files that have exceeded their retention period.
Records of personal information may be retained for periods in excess of those contemplated in subsection (14(1)) for historical, statistical, or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.
|When storing sensitive personal information for extended periods of time, organizations must implement controls to ensure the security, integrity, and confidentiality of the data.
File integrity monitoring:
A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorized to retain the record.
|Delete sensitive personal information if it reaches its limitation period, if there is no further need to process it, or if the data subject requests its deletion.
Data discovery:Identify the data subject's personal information stored by you using keyword matching and regular expressions, and purge them from enterprise storage.
Identifies and automates the deletion of old files.
The responsible party must restrict the processing of personal information.
|Ensure that access to sensitive personal information is limited when it is under dispute, and only provide access when necessary.
Principle of least privilege (POLP):
Further processing of personal information must be in accordance or compatible with the purpose for which it was collected.
|Deploy measures to detect and limit anomalous use of the personal information.
Instant alerts, automated responses:
A responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading, and updated where necessary.
|Identify and verify the correctness of personal information stored by your organization.
ROT data analysis:Locates files older than a user-provided age, which helps in finding data that needs to be updated.
A responsible party must maintain the documentation of all processing operations.
|Track every action made to the personal information from collection to deletion.
File change monitoring:
A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent—
|Implement a data loss prevention (DLP) solution to prevent accidental or malicious leakage of sensitive personal information.
Permission analysis:Lists every user who can access a file containing personal information to verify whether they require the privilege.
The responsible party must take reasonable measures to—
|Identify and assess risks to the personal information stored by you. Implement measures to mitigate the risk.
Data risk assessment:Calculates the risk score of files containing personal information by analyzing their permissions, volume, and type of rules violated along with audit details and more.
Classifies business-critical files based on their sensitivity and prevents their leakage via email, USBs, printers, etc.
A breach notification must take into account any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
|Forensically investigate the potential causes and extent of a data breach.
Detailed audit trail:Maintains a complete audit trail of every action leading up to the data breach, which aids in effectively analyzing the root cause of the breach, and the data that has been compromised.
A data subject has the right to—
|Locate and share all information about the data subject stored by your organization along with information on individuals who have accessed it.
Finds who has what permission over files containing the personal information.
A data subject may request a responsible party to correct or delete personal information about the data subject in its possession.
|Locate and revise all instances of inaccurate information about the data subject.
Delete the data that the data subject objects to.
Data discovery:Uses data discovery to find the data subject's personal information and can execute batch files to delete or move them to a secure location for further processing.
A responsible party may not process personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behavior of a data subject, unless authorized under sections 27-31 of POPIA.
|Organizations cannot collect or store the described personal information without necessary authorization.
Data discovery:Scans data stores for content that matches a regular expression or a keyword set. This helps organizations without the necessary authorization to detect and rectify instances of the pertinent personal information, and avoid non-compliance penalties.
Reports on the files that contain the personal information along with details on its location, who has access to it, its risk score, and more.
Disclaimer: Fully complying with the POPIA requires a variety of solutions, processes, people, and technologies. This page is provided for informational purpose only and should not be considered as legal advice for POPI Act compliance. ManageEngine makes no warranties, express, implied, or statutory, about the information in this material.