Direct Inward Dialing: +1 408 916 9393
Compliance regulations are crucial for developing a strong cybersecurity plan in organizations. Regulations are often established to protect data and ensure that other security policies are in place. With cyberattacks rising steadily over the past few years, different regulations, like the GDPR, the PCI DSS, and SOX have been brought forth by governments.
The Protection of Personal Information Act (POPIA) is regulation mandated by the South African government. It is similar to the EU's GDPR in the way it protects personal data. POPIA regulates how organizations work with personal data and holds them accountable for their use and misuse of data.
POPIA applies to organizations operating in South Africa; it also pertains to organizations that process personal data in South Africa but are not actually domiciled there.
POPIA is a comprehensive mandate that has a wide scope, applying to any information that can be used to identify a person, including full name, address, phone number, and religious or political views.
As soon as a data breach is discovered, it must be reported to the Information Regulator and the concerned individuals.
This can include fines up to R10 million or even prison.
POPIA guidelines have a few core principles that pertain to the processing of personal information. The important points for IT administrators of any organization to focus on include:
Personal information should be processed lawfully, and individuals must give their consent for their information to be processed. The information collected should be minimal and justifiable based on the purpose of collection.
The organization must appoint an information officer who is responsible for ensuring that the organization is complying with the information protection principles of POPIA.
The personal information collected should be purpose-specific, and the person whose data is being collected should be informed of the purpose while giving their consent.
The collected information should always be complete, lawfully collected and processed, and updated whenever necessary to ensure information is accurate.
The organization that collects the personal information is accountable for controlling, securing, and maintaining the integrity of the personal information in its control through organization-wide protocols and controls for data access and processing.
Organizations have to adopt a process that allows data subjects to verify whether the organization holds personal information about them, request a description of such information, and request that the organization delete their information due to consent withdrawal or data inaccuracy.
POPIA puts South Africa’s data regulation standards on par with existing data protection laws around the world. It aims to protect personal information, enforce individuals’ rights to privacy, and provide guidelines for lawfully processing sensitive information and notifying regulators and data subjects in the event of a breach.
ADManager Plus helps organizations comply with POPIA by letting them:
ADManager Plus has several other reports that can help with complying with POPIA.
|Reports and functions
Personal information must be adequate, relevant, and not excessive for its intended purpose.
|Use the following reports to demonstrate that the required technical and organizational measures are in place:
|Section 11 (4):
If a data subject objects to the processing of personal information, it must be discontinued.
|Section 14 (1):
|Section 15 (1):
Further processing of personal information should align with the original purpose of collection.
|Section 16 (1):
The responsible party should ensure the accuracy, completeness, and updated nature of personal information.
Documentation of all processing operations must be maintained by the responsible party.
|Section 19 (1):
|Section 22 (2):
Breach notifications should include necessary measures to assess the extent of the compromise and restore system integrity.
|Section 24 (1):
Data subjects may request the correction or deletion of their personal information in possession of the responsible party.
Processing of sensitive personal information is generally prohibited unless authorized by specific sections of POPI Act.
A unified approach to information security compliance ensures organizations not only address identified risks but also comply with the law. Further, having a solution like ADManager Plus, which allows you to manage access to data and offers prepackaged, compliance-specific reports, enables you to stay compliant with not just POPIA but other regulations like HIPAA, SOX, the GDPR, and the PCI DSS.
The following steps explains how your organization can become POPIA compliant.
The first step in the process is to determine the sections of POPIA that apply to your organization. This depends on factors like the nature of your company, the type of business your company participates in, and the information that you store and process.