The enactment of the Protection of Personal Information (POPI) Act commenced on 1 July 2020, according to a recent presidential address by South Africa’s president, with enforcement of the Act commencing on 01 July 2021. The Act is essentially a code of conduct that all businesses in South Africa must comply with. This means that all organisations in the country will need to have the necessary systems in place to manage employee, customer and supplier data that has personal information. This is where F-Secure’s RADAR solution fits as an ideal solution to help prevent security breaches in an organisation and the theft of personal information. It will also be compulsory in terms of the Act for all organisations to provide evidence of personal data protection systems having been implemented, especially in the event of a breach, in order to avoid prosecution and the substantial fines that may result from non-compliance. Fortunately, F-Secure has a substantial amount of knowledge and hands-on experience resulting from similar regulations – the General Data Protection Regulation (GDPR), implemented in May 2018 in the European Union, where they are based.
GDPR and POPI are basically different versions of much the same legislation and if you are GDPR compliant then you will likely be pretty much POPI compliant as well. The only major difference between the two is that GDPR applies to the personal data of EU data subjects (i.e. EU citizens), regardless of where they reside or where their data is being processed, whereas POPI is applies to all personal information, regardless of who it belongs to, but limited to that which is processed within the borders of South Africa. The other benefits of complying with the POPI Act is that organisations and individuals would prefer to do business with organisations that comply with the Act and have the evidence to prove that this is the case. In a similar fashion to the GDPR, which marked the biggest change in data privacy laws in more than 20 years in the EU, and transformed the way organisations managed and secures personal data, the POPI Act will have a substantial effect on all companies in South Africa going forward.
At the heart of POPI is the concept of accountability for the handling of personal data. Much like GDPR which requires that the controller and processor are responsible for making sure all privacy principles are adhered to, POPI requires a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control. This is stipulated as needing to be done by taking appropriate and reasonable technical and organisational measures.
With only a year to go until the Act comes into effect, organisations are starting to get to grips with what POPI will mean in practice and its various obligations. Getting data protection right requires an upfront investment but offers a payoff down the line – not only in better compliance and breaches resulting in data theft prevention, but as a competitive advantage. In the long term, the Act also has the potential to change best practices in different industries in terms of how personal data is processed. After initial compliance efforts, business process and technical implementation design changes will be the best way to ensure effective data protection in the future.
With F-Secure RADAR you can meet customers’ vulnerability management needs with just one solution. RADAR is a turnkey tool that also provides a full overview of internal and external cyber security threats and it also ensures that customers proactively comply with new POPI Act regulations.