Ultimate Guide to The POPIA - South Africa’s Privacy Law 

Proofpoint Threat Protection & Adaptive Email DLP intelligently prevent advanced email threats and protect against data loss, to strengthen email security and build smarter security cultures in modern enterprises.  

Over the last several years, there have been several generally applicable data privacy and protection laws rolled out around the world, starting with Europe’s General Data Protection Regulation back in 2018.  

South Africa’s Protection of Personal Information Act (POPIA) initially passed in 2013 but spent seven years in limbo, only coming into effect on July 1, 2020. With the ever-present threat of a data breach, it is essential that security and business leaders understand which of these compliance standards they’re bound to comply with, how to comply, and the consequences of a compliance breach.  

What businesses does the POPIA apply to?  

The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is either:  

• Based in South Africa, or  
• Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through South Africa). 

That means that non-South African companies doing business in South Africa should comply with the POPIA, whether or not they have any physical presence in the country.  

Wondering how to ensure compliance? You can click the link to jump down the page to our section on “How to stay compliant with POPIA”. Otherwise, keep reading to find out what information is considered personal under POPIA.  

What’s considered “personal information” under the POPIA?  

You have to remember; compliance is all about consumer privacy. So, POPIA, like the GDPR and CCPA, mandates that businesses properly “process” personal information. This includes collecting it, erasing it, and disclosing it to any third parties.  

The POPIA defines “personal information” as:  

“Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”  

Within this definition:  

• A “natural person” means an individual. 
• An “existing juristic person” means a “legal person,” such as a corporation or charity.  

Importantly, by extending the definition of “personal information” to “juristic (legal) persons,” the POPIA gains a very broad scope that would cover certain business-to-business communications, too.  

Here’s a non-exhaustive list of examples of personal information provided within the POPIA:  

• Information relating to race, gender, physical or mental health, or belief  
• Information about a person’s education, medical history, financial history 
• An ID number, email address, phone number, or online identifier  
• Biometric information 
• A person’s opinions or preferences 
• Private correspondence 
• Opinions about a person 
• A name, if the context in which the name is disclosed would reveal something about a person  

This data could be related to a business’ customers, employees, business contacts, prospective customers, and even visitors to their website.  

Compliance tip: You should conduct an audit of all the personal information your business handles. You’ll need to determine whether you are meeting the POPIA’s conditions for lawful processing, including applying appropriate data security safeguards.  

Who’s liable under the POPIA?  

We’ve already outlined which businesses need to comply with the POPIA. But, what about liability? The two main players are the “responsible party” and the “operator.”  

What is a “responsible party”?  

A “responsible party” is a public or private body that decides why and how to process personal information. A similar concept is the “data controller” under the GDPR and the “business” under the CCPA.  

What is an “operator”? 

An “operator” is a person who processes personal information for a responsible party but is not under the responsible party’s direct authority. A similar concept is the “data processor” under the GDPR and the “service provider” under the CCPA.  

Operators are directly liable under the POPIA and must treat the personal information they process as confidential and should never disclose it without the responsible party's authorization. In the event of a data breach, they must notify the responsible party immediately.  

Responsible parties, on the other hand, must ensure they only engage with operators under a written contract (which should ensure that the operator meets the POPIA’s data security obligations). They must also monitor the operator’s activities to ensure that it meets its data security operations.  

Everyone is responsible on some level for ensuring safe (and compliant) data processing.  

Compliance tip: You’ll need to review all contracts with business partners who process personal information on your behalf. Such companies may include marketing companies, recruitment companies, and web analytics providers. You may need to adjust your service contracts so that they include a requirement to safeguard personal information. Now that you know who must comply with the POPIA, who’s liable, and what data is considered “personal” we’ll explore the most important concept: How to lawfully process data under the POPIA.  

How do I lawfully process data under the POPIA?  

The POPIA provides a set of eight conditions businesses must satisfy when processing personal information. To be truly effective (and ultimately ensure compliance) these principles must be baked into your overall business operations, from cybersecurity to HR.  

In brief, the eight conditions for lawful processing are:  

1. Accountability: You must ensure POPIA compliance in respect of all the personal information in your control.  
2. Lawfulness: You must only collect personal information if it is adequate and non-excessive. You must have a legally justifiable reason for collecting personal information. Where possible, you must collect personal information directly from the data subject.  
3. Purpose specification: You must only collect personal information for a specific purpose, and you must not store it for longer than necessary to meet that purpose.  
4. Further processing limitation: You may only process personal information for further purposes if they are compatible with the reason you collected it.  
5. Information quality: You must ensure the personal information you maintain is accurate and complete.  
6. Openness: You must be transparent about how you provide personal information and provide consumers with notice about how and why you process their personal information.  
7. Security safeguards: You must take reasonable steps to secure the personal information in your control, and you must report any data breaches as soon as reasonably possible.  
8. Data subject participation: You must allow data subjects to access their personal information and correct or erase any inaccurate personal information.  

But there are additional requirements for particularly sensitive information. 

What types of information are considered “special” under the POPIA? 

Under the POPIA, particularly sensitive types of personal information are called “special personal information.” The categories of special personal information include:  

• Religious or philosophical beliefs  
• Race or ethnic origin 
• Trade union membership 
• Political persuasion  
• Health or sex life 
• Biometric information 
• Information about criminal behaviour, such as alleged offenses that have been committed by the individual, and proceedings that may have taken place regarding the alleged offenses. 

Like the GDPR, the POPIA places a general prohibition on the processing of special personal information. However, it is possible to process special personal information on the following grounds:  

• With the consent of the data subject.  
• To exercise or defend your legal rights or obligations. 
• To comply with an obligation under international public law. 
• For historical, statistical, or research purposes in the public interest. 
• Where the information has been made public by the data subject. 

How can cybersecurity help me stay compliant with the POPIA?  

We know what you’re thinking - what steps can I actually take to ensure every individual, team, and department across my organization safely processes data? Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of, damage to, and unauthorized access to personal information.  

The POPIA sets out four broad ways in which responsible parties must secure personal information:  

1. Identify internal and external risks  
2. Establish and maintain safeguards  
3. Regularly verify safeguards 
4. Continually update safeguards  

The POPIA also requires responsible parties keep up to date with any sector-specific security standards and professional regulations, and ensure any operators also apply security safeguards to personal information.  

There’s a lot to unpack here. But it all comes down to data loss prevention (DLP). While you can read all about DLP in our 2024 Data Loss Landscape report, we’ll outline the different “types” of DLP below.  

Note: DLP does more or less the same thing wherever it is deployed – it looks for sensitive information crossing boundaries. But different legacy DLP solutions only operate on a “perimeter”. Modern DLP takes human-centric approach to data loss prevention across cloud, email and endpoint. Rich context around content and user behaviour surfaces data exfiltration by careless, malicious and compromised insiders.  

Cloud DLP

Cloud DLP protects data in motion by monitoring the traffic that enters and leaves the organization’s network. These solutions are mostly cloud-based and are designed to monitor network traffic between users and other endpoints connected through the Internet; every byte of data transmitted through a network will go through the cloud-based DLP solution.  

Endpoint DLP  

Endpoint DLP protects data in use on employee’s devices (computers, mobile phones) by preventing unauthorized access. How? By ensuring information isn’t taken off work devices and sent or copied to unauthorized devices by allowing or denying certain tasks to be performed on the computer.  

It is also able to detect and block viruses and other malware that could be transferred into your computer system from external sources, like a USB.  

Adaptive Email DLP  

Misdirected emails lead to data loss. Proofpoint Adaptive Email DLP can harness behavioural AI to prevent both accidental and intentional data loss over email. Detect anomalous behaviour in real-time. Warn users before they make a costly mistake. With Proofpoint, you can avert data breaches that conventional DLP approaches miss.  

Learn more about how Proofpoint prevents accidental data loss to help organizations around the world stay compliant.  

But organizations need more than security solutions. Under the POPIA, every public and private organization must also have an Information Officer. What are their responsibilities?  

• Encouraging the organization to comply with the conditions for lawful processing.  
• Assisting data subjects with requests to access their personal information. 
• Working with the Information Regulator in the event of an investigation. 
• Otherwise ensuring that the organization complies with the POPIA.  

Once you have appointed your Information Officer, you must register them with the Information Regulator. But what happens if DLP solutions (and your Information Officer) don’t successfully prevent data loss and a breach occurs? You must notify relevant bodies. "Investigation and remediation are generally the costliest categories in an overall data breach. Which, by the way, cost organizations $4.45 million on average” according to IBM’s latest Cost of a Data Breach Report.  

What do I do in the event of a breach?  

If personal information is subject to unauthorized access (e.g. a data breach occurs), responsible parties must notify the Information Regulator and the affected data subjects. 

Importantly, this must happen “as soon as reasonably possible” and should include:  

1. A description of the consequences of the breach. 
2. An explanation of what the responsible party has done to contain the breach. 
3. Advice to the data subjects regarding how to mitigate the impact of the breach. 
4. The identity of anyone who may have accessed the personal information (if known).  

What are the penalties under the POPIA? 

Breaches of the POPIA can lead to harsh penalties brought by the Information Regulator, including:  

• A fine of between 1 million and 10 million ZAR (approximately $60,000 – $600,000 USD).  
• Imprisonment for a term of up to ten years. 
• Both a fine and a prison term.  

The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party. A case brought under the POPIA could lead to:  

• “Actual damages,” to compensate data subjects for any losses they have incurred. 
• “Aggravated damages,” to compensate data subjects for the distress they have experienced. 

Fines, imprisonment, and lawsuits are not the only concerns for businesses processing people’s personal information in South Africa. Even small-scale data breaches can lead to a complaint being lodged with the Information Regulator.  

If you take nothing else away from this article, it should be that compliance and security go hand-in- hand. Businesses in South Africa and beyond must take necessary steps to safeguard the data their organizations process and hold, which requires dedicated security and IT teams and a strong data loss prevention strategy.  

Wondering what’s top-of-mind for other security leaders when it comes to DLP?  

Read our 2024 Data Loss Landscape report  

Join us for our webinar Using AI to Stop Email Misdelivery and Prevent Sensitive Data Loss