Complying with

South Africa's POPI Act

What is Protection of Personal Information Act (POPIA)?

The POPIA is a regulatory mandate aimed at safeguarding the personally identifiable information (PII) of South African citizens. It provides conditions for the lawful collection and processing of personal data of the citizens by all public and private organizations residing both in and outside the Republic of South Africa.

What is personal information according to POPIA?

POPIA compliance requires protecting the PII of employees, vendors, suppliers, and partners in addition to customer data. In POPIA, personal information includes (but is not limited to) aspects as diverse as:

  • Religious or philosophical beliefs Religious or philosophical beliefs
  • Race, gender, ethnic origin Race, gender, ethnic origin
  • Trade union membership or political persuasion Trade union membership or
    political persuasion
  • Medical, financial, educational, or criminal records Medical, financial, educational, or
    criminal records
  • Biometric information Biometric information
  • Confidential correspondence (email content) Confidential correspondence
    (email content)
  • Online identifier Online identifier
  • Information of children Information of children

Why should my organization
comply with POPIA?

Increased
goodwill

Compliance to such regulations will improve your organization's reputation among the public.

Competitive
advantage

Adhering to such strict guidelines will earn the trust of customers. They'll know they can trust your company over others that aren't complying.

Cybersecurity

Security measures taken for POPIA compliance will be a stepping stone to protect your organization against data breaches.

Avoid unwanted
penalties

Failure to comply with POPIA can cost you and your company either imprisonment of up to 10 years, a fine of up to R10 million, or both.

POPIA conditions

POPIA can be broadly categorized into eight conditions, and adhering to them all is a multi-step proces. Knowing what these conditions mean to your organization is key to achieving compliance.

How to comply with POPIA conditions

POPIA requirements are vast, and they might seem complex and baffling. Adherence to these conditions requires a combination of strict organisational policies and technical measures to be in place. But by adopting the right processes and IT products, POPIA compliance can be made a lot easier. ManageEngine has a comprehensive suite of IT management solutions to help your organization comply with the data security, documentation, and audit requirements of POPIA. Meet the following POPIA conditions with the help of ManageEngine solutions.

Accountability Condition 1: Accountability
What it means to your organization

Appoint an information officer or a deputy information officer who will bear the sole responsibility to ensure compliance during the collection and processing of data.

How can IT help?

Identity and access management tools will help to establish role-based access controls so that only authorized personnel will be able to handle sensitive data.

How can ManageEngine help?

Access Manager Plus: Create custom roles with preset role permissions to ensure users have only the access required to perform their tasks.

M365 Manager Plus: Help establish role-based access control for Microsoft 365 administration.

Desktop Central: Grant permissions of your choice based on multiple predefined and/or tailor-made roles using it's Role-Based Access Control (RBAC) approach.

AD360: Select any combination of management, auditing, reporting and alerting tasks concerning AD and Microsoft 365, and delegate them by creating custom help desk roles.

Processing limitation Condition 2: Processing limitation
What it means to your organization

Collect and store only the data required for a specific purpose, and process it only with the consent of the data subject.

How can IT help?

Locate and delete junk data including obsolete and duplicate files using data discovery tools.

How can ManageEngine help?

DataSecurity Plus: Locate PII with its PII scanner. It supports scans for sensitive data from over 50 file types including text and email.

Purpose specification Condition 3: Purpose specification
What it means to your organization

Ensure that the information collected is for a specific, well-defined, and legitimate purpose. After processing, the data should be disposed of in an irretrievable manner.

How can IT help?

Data discovery tools help locate sensitive content such as PII/ePHI and maintain an inventory of the personal data stored. This prevents any of the data storage points from being missed in the deletion process.

How can ManageEngine help?

DataSecurity Plus: Find all forms of PII associated with a data subject across Windows file servers using regex or keyword matching.

Further processing limitation Condition 4: Further processing
limitation
What it means to your organization

Further processing should be compatible with the originaly stated purpose and requires additional consent from the data subject except for legal or national security requirements.

How can IT help?

Security information and event management (SIEM) solutions will help with detecting and auditing anomalous activities pertaining to stored sensitive data like data leak or unauthorized sharing, modifications, or deletion to ensure that the data is not misused by internal or external sources.

How can ManageEngine help?

DataSecurity Plus: Monitor and analyze the usage of all removable devices, and block sensitive data being copied to USB devices with DataSecurity Plus' USB tracking.

Log360: Detect suspicious user behavior with Log360's UEBA engine's unsupervised machine learning algorithms and statistical analysis.

Information quality Condition 5: Information quality
What it means to your organization

The information collected and stored should be complete, accurate, and not misleading. It should also only be updated when necessary.

How can IT help?

A real-time alert mechanism to notify about unauthorized access, modification, or deletion of files with confidential data.

How can ManageEngine help?

Log360: Generate real-time email/SMS alerts when files containing confidential data are accessed, copied, or modified. Log360's predefined reports help to trace back activities to the user that performed them.

Access Manager Plus: Create context-rich logs of user sessions, and instantly send SNMP traps and syslog messages to SIEM tools to support compliance audits.

Openness Condition 6: Openness
What it means to your organization

Make the data subject aware of all the details regarding the collection and processing of data. Strict documentation of all processing operations must be maintained as proof.

How can IT help?

Generate context-based audit logs, session recordings of users handling personal data, and predefined report templates to help with the documentation of the processing activities using a privileged session management solution.

How can ManageEngine help?

PAM360: Capture all activities around privileged accounts with context-rich logs, built-in reports, and user session recordings.

Log360: Enable agentless and agent-based log collection and leverage comprehensible predefined compliance reports.

Security safegaurds Condition 7: Security safegaurds
What it means to your organization

Take technical and organizational measures to ensure the integrity, confidentiality, and security of the collected information.

How can IT help?

IT solutions can help organizations meet the security requirements under condition 7:

(i) Detect vulnerabilities and unknown external attacks using custom correlation rules in log management tools.

How can ManageEngine help?

Log360: Detect potential external threats like SQL injection attempts, ransomware activities, malicious URL requests, malware installation, and more using the predefined rules in Log360's real-time correlation engine.

(ii) Learn from the mistakes made in the past by performing root cause analysis on breaches using log forensics.

How can ManageEngine help?

Log360: Conduct root cause analysis on data breaches, and view details on it's source, time, and impact using Log360's intuitive log search engine.

(iii) Patch management tools can automate updates and patching of servers, operating systems, corporate assets, and applications.

How can ManageEngine help?

Patch Manager Plus: Scan endpoints to detect missing patches, and automate deployment of tested patches to OS and third-party applications.

(iv) Browser security solutions can manage and secure browsers across networks.

How can ManageEngine help?

Browser Security Plus: Perform periodic scans of all browsers accessed from multiple devices storing corporate data to detect any threats.

(v) Auditing solutions can audit and monitor critical resources to ensure data integrity and protection of corporate assets.

How can ManageEngine help?

DataSecurity Plus: Track accesses to confidential files using central access audit logs, and maintain audit trails to help comply with IT regulations.

PAM360: Obtain readily available video recordings, custom reports, and audit logs on privileged user activity.

ADAudit Plus: Enable real-time Windows Active Directory auditing, logon/logoff auditing, file server auditing, and Windows Server auditing.

(vi) Breach prevention tools can help detect vulnerable sources, limit access to confidential files, and encrypt data in transit to prevent security breaches.

How can ManageEngine help?

Vulnerability Manager Plus: Discover security loopholes in local and remote endpoints and use attacker-based analytics to identify areas that are more prone to attacks.

Password Manager Pro: Organize and store privileged identities using a central vault. It helps to securely share passwords with team members on an as-needed basis.

Key Manager Plus: Gain complete visibility into SSH keys and SSL environments to avoid data breaches or compliance issues.

(vii) Data discovery and security tools can provide information like risk scores of files containing PII, vulnerable sources, etc. required to perform data protection impact assessment to identify and assess risks of a project.

How can ManageEngine help?

DataSecurity Plus: Locate files with sensitive data, and analyze their vulnerability by calculating their risk score based on the permissions, the volume, the type of rules violated, audit details, and more.

Data subject participation Condition 8: Data subject participation
What it means to your organization

Have a system in place to meet the requests of data subjects for the modification or deletion of information on account of outdated, incomplete, inaccurate, or unlawfully obtained data.

How can IT help?

Data discovery tools can help locate files with the sensitive information of data subjects to further correct, update, or delete them.

How can ManageEngine help?

DataSecurity Plus: Create custom data discovery rules and policies to locate sensitive data stored in your file servers. You can also generate reports that include the type, location, and the amount of sensitive data stored in each file.

ManageEngine for POPIA compliance

Download this guide to get an in-depth look into the POPIA mandates and the various tools that
are essential to prepare your organization to achieve POPIA compliance.

Fill out the form to download the guide
Name* Please enter the name
Business email* Please enter the valid email
Phone number
Company
Country*

By clicking "Get your copy," you agree to the processing of personal data according to the Privacy Policy.

Work with ManageEngine’s regional partner to find the right IT solution for your POPIA compliance needs.

manageengine

In partnership with

ITR
contect

ZA: 012 665 5551

E: contact@itrtech.co.za

Disclaimer

Fully complying with the POPI act requires a variety of solutions, processes, people, and technologies. The solutions mentioned above are some of the ways in which IT management tools can help with some of the POPIA's requirements. Coupled with other appropriate solutions, processes, and people, ManageEngine's solutions help achieve and sustain POPIA compliance. This material is provided for informational purpose only and should not be considered as legal advice for POPIA compliance. ManageEngine makes no warranties, express, implied, or statutory, as to the information in this material.

X success
Download guideInquire now