Cloud Services & Data
September 6, 2021
Cybercrime on the increase
September 16, 2021

POPIA is now a reality in South Africa and yet there is still so much uncertainty on how it effects your business and whether you need to comply to the Protection of Personal Information Act (POPIA).

We have decided to give you a short guide that outlines your organisation’s responsibilities, how the act compares with GDPR and very important how it applies to email data.

Some reassuring words

While you get to grips with POPIA, it’s good to know that compliance with regards to your organisation’s email data is easier than you think. You can address it and GDPR compliance, as well as forensics and business continuity, all together with one easy-to-use and affordable email forensic archiving solution. More about that shortly. First, here's what you need to know about POPIA.

Background: meeting international privacy standards

Privacy rights and the need to protect personal information have been issues for some time now. Not just in South Africa, but in many other countries as well. With organisations collecting increasing amounts of electronic personal data, something had to be done to protect it.

This is why the EU introduced the General Data Protection Regulation (GDPR), which came into force in 2018.

In the US, the state of California’s Consumer Privacy Act (CCPA) took effect in 2020 and will be complemented in 2023 by the California Privacy Rights Act (CPRA). Other states are looking to follow them with similar legislation.

Many countries including Australia and New Zealand have recently tightened up their privacy/personal data laws too.

And now, South Africa joins them with the Protection of Personal Information Act (POPIA).

Developed over many years, and closely connected to the country’s constitution, POPIA came into effect on 1 July 2021. The Act recognises that “section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy”. This includes “a right to protection against the unlawful collection, retention, dissemination and use of personal information”.

The new law is designed to “regulate, in harmony with international standards”. There are similarities and differences with GDPR, which you can read about below.

How does POPIA define personal information?

The act says personal data is information that relates to an identifiable living person and to an identifiable, existing juristic person (that is, a company or other similar legal entity). Relevant data also includes account numbers and special personal information” about a data subject’s:

An interesting fact is that some of this “special personal information” described in POPIA has a very close correlation to the South Africa’ Constitutional Law with reference to Chapter 2, Bill of Rights.

  • religious or philosophical beliefs
  • race or ethnic origin
  • trade union membership
  • political persuasion
  • health
  • sexuality
  • criminal behaviour (with certain exceptions)
  • biometrics (with certain exceptions)

Which organisations does POPIA affect?

The POPI Act applies to any public or private body that collects and processes the personal information described above of any South African citizen or organisation.

The industries most affected are financial services, healthcare, and marketing but it does not exempt any other business. Our advice is that you make sure, even if you are a SMME , you might have employee information or customer information that you did not think is important.

How does POPIA affect your business?

Under the POPI Act, your organisation must have an appointed information officer. This person is responsible for ensuring your business complies with the act. The officer’s duties are described on this Government website.

There are eight conditions your organisation must meet to process personal information lawfully. They are:

  1. Accountability. It’s the responsibility of your business to make sure the conditions for lawful processing are met.
  2. Processing limitation. Your business must be able to justify the processing of personal information so that it’s done lawfully and minimally, on grounds recognised under POPIA, such as consent or legitimate interests. Also, you must have the data subject's consent, unless certain exceptions apply.
  3. Purpose specification. Your business must have a specific, explicitly defined and lawful purpose for processing the information, and comply with POPIA’s retention and restriction of records provisions.
  4. Further processing limitation. Further processing must be in accordance with or compatible with the purpose for which your business originally collected it. This is subject to limited exceptions.
  5. Information quality. Your business must take steps to make sure the information is complete, accurate, not misleading and updated when this is necessary.
  6. Openness. Your business must document all processing operations and make sure the data subject knows that you are collecting their personal information and how you intend to use it.


     7.  Security safeguards. Your business must:

  • take appropriate, reasonable technical and organisational measures to securely maintain the integrity and confidentiality of any personal information it holds;
  • have a written contract to ensure that the operator processing personal information for your business has established security measures and maintains them;
  • if personal data is discovered to be compromised (for example, hacked or lost), your business must notify the Information Regulator and the data subject as soon as reasonably possible after the discovery.
  1. Data subject participation. Your organisation must allow a data subject to see the personal information you hold on them, if the data subject asks you. Also, you may need to correct, delete or destroy personal information.


South African companies that deal with EU citizens must comply with GDPR, which is similar to POPIA. Both are designed to:

  • Protect individuals’ rights to privacy – one of South Africans, and the other of EU citizens.
  • Make organisations that collect or process personal information responsible for safeguarding that data from theft, loss and misuse.
  • Force businesses to take or implement appropriate technical and organisational measures to protect that data.
  • Require organisations to appoint a person to oversee their compliance. POPIA calls this person “the information officer”, and GDPR refers to them as the “data protection officer”.

Where are the two laws different?

  • With POPIA, every organisation must have an information officer, while GDPR compels only some to have a data protection officer.
  • GDPR applies only to individual people. POPIA extends to collected information from juristic persons (companies or similar legal entities).
  • POPIA covers more categories of personal information, such as religious affiliations (see list above).
  • POPIA’s fines for negligence in protecting data – up to ZAR 10 million, or US$700,000 – are less severe than GDPR’s. (With either law though, for more serious offences, you could face a prison sentence.)
  • GDPR exempts some SMEs from having to keep records.
  • GDPR grants data subjects the “right to be forgotten” – that is, you must delete any personal data you hold of theirs if they ask you to. In contrast, with POPIA, the information a data subject can make you delete must be inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or obtained unlawfully.

POPIA and email data

Your organisation’s old emails – both sent and received – contain lots of personal data of the types covered by POPIA:

  • Employee data, ranging from CVs and contact details to performance reviews
  • Customer and supplier correspondence including personal details

You’ve probably archived many years’ worth of such emails. So, it’s crucial to make sure you have an email archiving solution that can meet POPIA’s regulations.

Compliant, affordable email archiving

The good news is that you can easily comply with both POPIA and GDPR by implementing Cryoserver, an email archiving solution used by organisations of all types and sizes.

Not only does Cryoserver store emails securely; it also enables quick, forensic access and supports your business continuity.

Cryoserver is designed to meet any standard of privacy compliance in the world and we have been representing them in Africa since 2006. Many of our clients have this solutions for many years and more than once , it assisted the forensic teams to collect evidence for their cases.

That’s why many South African and European businesses choose it. Other attractions include:

  • a choice of on-premises solutions and cloud solutions (from a portfolio of data centres across the world including South Africa – we can ensure your data resides in RSA)
  • a secure, independent, tamper-evident archive
  • ensuring the integrity of emails so they can be used as evidence in court
  • ease of use
  • a lightning-quick search tool – essential for subject access requests under POPIA or GDPR, or for e-Discovery; users can find emails in seconds
  • usefulness as an everyday business tool for all departments
  • authorised user access controls
  • fully audited access
  • quick, simple, audited deletion of personal data when required by POPIA or GDPR
  • greater flexibility of data ownership compared with other solutions
  • the affordability of our on-prem solution compared with competitors
  • our tech support team, who are famous for their knowledge and helpfulness

Leave a Reply

Your email address will not be published. Required fields are marked *