It’s safe to say that when it comes to the POPI Act, the situation is more than a little bit nebulous. Due to misconceptions and misunderstandings, many South African businesses are left scratching their heads, with more questions than answers, like:
- What exactly is the POPI Act?
- What does it mean for my business?
- What do I need to do?
- Has it already taken effect?
While reading the act itself is certainly an option, many might be left in the lurch regarding the dense wordiness and ‘legalese’ of the outlined regulations, often buried and left ambiguous as to what the requirements actually are or what they mean; at the very least, certainly, the implications are hard to foresee.
As Digital Cabinet is a mobile platform that stores your data on cloud-based servers, we had many of the same questions as you out there, and we would like to help by shining some light on some of the relevant information surrounding the POPI Act.
The ethics of POPI
First, let’s make a quick distinction: the Protection of Personal Information (POPI) and South Africa’s Protection of Personal Information Act (the POPI Act, or alternatively, POPIA), while fundamentally related, are actually two different things.
When we talk about the Protection of Personal Information (POPI), we’re talking about an ethical practice that supports the intrinsic right to every person’s privacy, online as well as offline.
POPI practices thus maintain that all personal information—i.e. data that can be used to identify a person’s identity and link it with online behaviour and practices—must be protected and that organizations that use that personal information must do so responsibly and transparently.
In South Africa, POPI principles have been incorporated into law by the South African government with the Protection of Personal Information Act (the POPI Act), in order to legislatively safeguard the constitutional right to privacy and regulate and govern best POPI practices for persons or organizations in South Africa that handle and process personal information.
The POPI Act joins a host of other legislation throughout the world, such as the European Union’s General Data Protection Regulation (GDPR), and strives to harmonize with international standards for POPI best-practices and regulate data protection matters into a singular set of rules, while taking into account the vastly evolving state of technology and the internet.
What is the POPI Act?
Officially titled “the Protection of Personal Information Act No 4 of 2013”, the POPI Act is an official piece of legislation passed into law by the South African President in 2014—and while (as of February 2019) it has been constitutionally legalized, many parts have yet to be officially made effective.
Essentially, what the POPI Act boils down to is a set of laws that function to hold organizations accountable for how they handle, process and disseminate personal information and how that information is used, in order to ensure that a person’s privacy is always taken into account and respected.
Companies that keep and use such data will have to change the way that personal information is stored and used, or risk fines of R10 million and/or 10 years imprisonment—as well as the accompanying loss in reputation.
When is the POPI Act commencing?
The truth of the matter is that it’s not that straight-forward to answer that question. While the Act has been signed into law by the President, and some sections of the act have already been made effective (as of 11 April 2014), other sections of the act have not.
Other than the establishment of the Information Regulator, which is the independent watchdog body tasked with regulating and monitoring POPI compliance—other sections (mostly the sections that deal directly with regulations) have not yet been commenced.
We are still waiting for the President to give the go-ahead, and when they do, the one-years’ grace period will officially commence, and companies and businesses that handle Personal Data must start ensuring that their systems in place are POPI compliant, or risk potential fines from the Information Regulator.
Until then, all companies can do is do their due diligence and ensure that if you retain personal information, or leave those services up to third-party organizations, that data must be securely stored and used only according to the regulations.
What does the POPI Act mean for your business?
It is important to note that while the POPI Act is law, it only applies to companies that handle and store data defined as “personal information” (i.e. home addresses, ID numbers, etc).
Often, by simply adapting processes and not keeping certain information, or keeping data in a way that the link between a person and their information is broken—as long as it is not essential to your business—POPI compliance will not be needed.
While, for small businesses and start-ups, this is a simple process, as there are no legacy systems in place that will need to be fully overhauled, for bigger, more established companies this might take some time and effort.
So, we recommend starting the process sooner rather than later and avoid the risk of not having your systems in place when the grace period ends.
To that end, there are many POPI Act workshops, specifically designed to give businesses a far more detailed analysis of the POPI Act and its regulations.
What does the POPI Act mean for the Cloud?
The POPI Act also sets down regulations for cloud-based data storage—a section that is particularly important for us at Digital Cabinet, as our platform is entirely cloud-based.
Many companies often use third-party companies, or ‘operators’ as defined by the act itself, to store or their data on their secure online infrastructure, such as Google, Amazon and Microsoft, for example.
One thing to make note of is that, instead of being a means to prevent your business from using the cloud, the POPI Act is more a means to ensure that your cloud-services providers are POPI compliant.
Also, it is important to note that operators are not responsible for what responsible parties do with the data on their servers.
POPI compliance is the onus of the organization that uses the data, not necessarily on the company that stores the data. However, There must be a signed legal contract between operators and responsible parties, making it clear where the responsibilities and liabilities lie.
The POPI Act effectively ensures that the responsible parties—i.e. the people that decide what to do with their personal client information—are obligated to safeguard that information and must only use operators that meet the requirements for lawful handling of personal information.
Since cloud providers based in South Africa are governed by the POPI Act, they must be compliant and maintain sufficiently secure conditions and transparency for the lawful processing of personal information.
As long as your cloud-services provider is POPI compliant or your service provider’s servers are based in countries with equally-stringent privacy laws and regulations, like the European Union’s General Data Protection Regulation (GDPR), you should be fine—making sure you are aware of exactly who is handling your data and where they are located is essential, for that is your ethical responsibility.
How Is Digital Cabinet POPI Compliant?
As an ‘operator’ ourselves, we are dedicated to making sure your data is secure on our servers.
Here are just some of the ways Digital Cabinet makes sure your data and how you use our platform remains secure, private and visible only to you and those you have granted access to—and no one else:
- Data Centre—All of our servers are housed in a secure, fire-proof and air-conditioned data centre, with software and hardware firewalls, 24-hour on-site engineers, daily automated backups, and disaster recovery facilities.
- Web Monitoring—Our team of engineers constantly monitors web traffic to detect intrusion attempts and pre-empt unauthorised access. Every single request to the server is stored and monitored for inconsistencies.
- SSL Certificate—All data transmitted to/from our cloud environment is transmitted securely over a 256-bit encrypted Secure Socket Layer (SSL) connection.
- Password Encryption—All passwords are encrypted using leading iterative algorithms with random keys and salts. The results are stored as highly secure hashes in our database.
- Data Encryption—All documents are stored using 256-bit encryption keys, and these are only decrypted upon retrieval by an authenticated user.
- Session Encryption—All session data is encrypted with a 256-bit key to prevent network traffic interception and add an additional layer of security.
- Data Sanitization—All user inputs and outputs are strictly sanitized in order to prevent SQL injection and cross-site scripting attacks.
Ultimately, it is recommended that companies do their due diligence and ensure POPI compliance as soon as possible.
Instead of waiting for the Act to be made effective and the years’ grace that follows, rather do it now, or have contingencies in place as soon as possible, than risk the reputation of your business.
Join us in our Compliance segment next month, where we will be discussing the differences between POPIA and the EU’s GDPR.
Until then, however, thanks for coming to our TEDTalk.
You can find out more about Digital Cabinet at www.digitalcabinet.co.za