POPIA is now a reality in South Africa and yet there is still so much uncertainty on how it effects your business and whether you need to comply to the Protection of Personal Information Act (POPIA).
We have decided to give you a short guide that outlines your organisation’s responsibilities, how the act compares with GDPR and very important how it applies to email data.
Some reassuring words
While you get to grips with POPIA, it’s good to know that compliance with regards to your organisation’s email data is easier than you think. You can address it and GDPR compliance, as well as forensics and business continuity, all together with one easy-to-use and affordable email forensic archiving solution. More about that shortly. First, here's what you need to know about POPIA.
Background: meeting international privacy standards
Privacy rights and the need to protect personal information have been issues for some time now. Not just in South Africa, but in many other countries as well. With organisations collecting increasing amounts of electronic personal data, something had to be done to protect it.
This is why the EU introduced the General Data Protection Regulation (GDPR), which came into force in 2018.
In the US, the state of California’s Consumer Privacy Act (CCPA) took effect in 2020 and will be complemented in 2023 by the California Privacy Rights Act (CPRA). Other states are looking to follow them with similar legislation.
Many countries including Australia and New Zealand have recently tightened up their privacy/personal data laws too.
And now, South Africa joins them with the Protection of Personal Information Act (POPIA).
Developed over many years, and closely connected to the country’s constitution, POPIA came into effect on 1 July 2021. The Act recognises that “section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy”. This includes “a right to protection against the unlawful collection, retention, dissemination and use of personal information”.
The new law is designed to “regulate, in harmony with international standards”. There are similarities and differences with GDPR, which you can read about below.
How does POPIA define personal information?
The act says personal data is information that relates to an identifiable living person and to an identifiable, existing juristic person (that is, a company or other similar legal entity). Relevant data also includes account numbers and “special personal information” about a data subject’s:
An interesting fact is that some of this “special personal information” described in POPIA has a very close correlation to the South Africa’ Constitutional Law with reference to Chapter 2, Bill of Rights.
Which organisations does POPIA affect?
The POPI Act applies to any public or private body that collects and processes the personal information described above of any South African citizen or organisation.
The industries most affected are financial services, healthcare, and marketing but it does not exempt any other business. Our advice is that you make sure, even if you are a SMME , you might have employee information or customer information that you did not think is important.
How does POPIA affect your business?
Under the POPI Act, your organisation must have an appointed information officer. This person is responsible for ensuring your business complies with the act. The officer’s duties are described on this Government website.
There are eight conditions your organisation must meet to process personal information lawfully. They are:
7. Security safeguards. Your business must:
Is POPIA like GDPR?
South African companies that deal with EU citizens must comply with GDPR, which is similar to POPIA. Both are designed to:
Where are the two laws different?
POPIA and email data
Your organisation’s old emails – both sent and received – contain lots of personal data of the types covered by POPIA:
You’ve probably archived many years’ worth of such emails. So, it’s crucial to make sure you have an email archiving solution that can meet POPIA’s regulations.
Compliant, affordable email archiving
The good news is that you can easily comply with both POPIA and GDPR by implementing Cryoserver, an email archiving solution used by organisations of all types and sizes.
Not only does Cryoserver store emails securely; it also enables quick, forensic access and supports your business continuity.
Cryoserver is designed to meet any standard of privacy compliance in the world and we have been representing them in Africa since 2006. Many of our clients have this solutions for many years and more than once , it assisted the forensic teams to collect evidence for their cases.
That’s why many South African and European businesses choose it. Other attractions include: