The Protection of Personal Information Act (POPIA) took effect on 01 July 2021, and applies to any entity processing personal data which is resident in SA, or not domiciled but uses digital or physical methods of processing biometric or behavioural data in the country. In this article, we take a look at both POPIA and GDPR, compare the two and look at the most common reasons why businesses are not compliant with these laws.
Last-minute Scrambling
Skipping These POPIA Conditions
The Difference Between POPIA And GDPR
Eight Personal Data And Privacy Rights Maintained By GDPR
Ignoring Assistance
While corporations scrambled to be compliant to avoid fines of up to R10 million for failing to protect their consumers' or data subjects’ personal data (including how their data is accessed, stored, controlled and used), many local companies still lag behind 100% compliance to a formalised POPIA programme.
Reasons may include the lack of guidance, internal channels or knowledge, reluctant uptake into corporate culture, as well as reliance on paper documents and legacy storage. The following touchpoints explain why your company may not be POPIA compliant.
It is obligatory to appoint an information officer, the person who is responsible for ensuring that the organisation complies with the POPI Act, and register them with the information regulator.
A formalised classification system needs to be developed so records can be identified, stored, retrieved and managed, across all formats and locations.
Records must be captured, kept up-to-date and maintained − only of those data subjects which are relevant to the purpose, only for the length of time for which they are required, and only for the purpose for which they were gathered. This requires the creation of a records retention schedule.
A disposal programme of all records (not limited to personal records) must be put in place and followed. Duplicates must be destroyed, either in paper or electronic formats. The paper must be shredded, and devices must be thoroughly expunged and wiped clean of all relevant data.
Processing information must be obtained directly from the data subject with their consent, processed in a fair and lawful manner, and only info required for the specific purpose for which it is gathered may be stored. The data subject must consent to information gathered from third parties, and also to info gathered for future use.
The purpose – explicit, legitimate and lawful – for which personal data is collected must be documented, adhered to and understood by the data subject, and the data destroyed after it’s used for the purpose it was gathered. Organisations must account for the data they hold and set a date for its destruction.
Personal data may not be processed for a secondary purpose unless that processing is compatible with the original purpose. Reuse requires permission from the data subject, who must be made aware of the continuous use of their data.
It is necessary to validate captured data in real-time from the data subject to ensure its accuracy and reliability, and if the data is not inputted by the data subject themselves or if it is captured between formats (eg. paper to IT), the data subject must then validate the data. Data subjects must be kept abreast of methods of updating their info or withdrawing consent for their data use entirely.
Proof of consent from data subjects as to the method of their data gathering must be obtained, and they must be made aware of the purpose of the collection. Data subjects need to know the contact details of the information regulator, their right to lodge a complaint, and how to lodge a complaint.
Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure. This requires a safety and security risk assessment, and a procedure in place to safeguard against risks and prevent data from falling into the wrong hands. For example, USBs, data DVDs and external hard drives must be stored with paper files in a secured repository. Encryption software and firewalls must be installed and tested regularly.
It’s also necessary to define which employees have access to what data, and what to do when data is accessed or changed in the case of a data breach – how to identify the source, how to neutralise the breach, how to update safeguards in response to new risks, and how to prevent a data breach reoccurrence. For example, by changing the network password regularly.
The data subject whose data has been breached must be informed (by email or in writing) as soon as reasonably possible, and information conveyed as to how they may safeguard against the consequences of said breach. The Information Regulator must also be informed in such an event.
When sharing data with third parties and external operators, background checks should be conducted. A contract must be written up to guarantee the third party adheres to the security measures, and the operator is required to immediately advise if there has been unauthorised access or acquisition of personal info.
An incident response plan should include a list of contacts including PR and law firms, forensic data experts and credit monitoring companies to minimise harm to your company and the data subject.
Data subjects may request information from you on whether you are holding their personal information. This request may not be declined and may not be charged for. The full nature and details of the information being held must also be provided on request but a charge may be levied for this information. Data subjects must have recourse to correct their data and withdraw their consent for use of their data at any time.
It seems a moot point for SA companies whether to comply with GDPR or POPIA first as both deadlines have expired (GDPR was 25 May 2018 and POPIA was 01 July 2021). However, it is recommended that adherence to both be conducted simultaneously. Both are data protection laws and share more similarities than differences. GDPR is more an update and less an overhaul, and compliance to both just requires some minor tweaking.
GDPR is a regulatory framework that applies to any data processing done by a controller in the EU. It obligates corporations to safeguard the personal data and information of EU data subjects regarding transactions which take place within EU member states. It also applies to any company with a presence in an EU country, even if the entity processing the data is not in the EU, offering products and services to EU citizens.
As the EU represents one of SA’s biggest trading partners, local companies trading in EU countries are required to adhere to POPIA and GDPR. There are rumblings that POPIA should be amended to fit GDPR to avoid duplication of regulations, but the consensus is that SA entities need dual compliance.
Both require an information officer/regulator (registered under POPIA) or a data protection officer (DPO for GDPR). The DPO is nominated by the data controller or processor for companies processing significant amounts of personal user data. The DPO’s responsibilities include monitoring data protection policy, storage and transfer processes, educating employees about compliance, taking action regarding data subject access requests, and being the go-between for the organisation and GDPR authorities.
SA refers to “protection of personal information”, other countries use the term “data protection” and the US mentions “data privacy”, but all phrases have the same meaning. The security duties of the DPO and the information officer differ in wording, however.
GDPR makes no provision for legal or public sector body protection, and exempts certain SMEs from keeping records, unlike POPIA, as well as exempting some organisations from having a data protection officer, unlike POPIA’s provision for same. GDPR features the right to be forgotten and data portability, and requires data protection impact assessments. Penalties for GDPR infringement also differ from those of POPIA.
Ignoring GDPR Compliance
The following guidelines are a good indication of whether or not your company is GDPR-compliant.
GDPR rules manage the majority of personal data points about data subjects, used to identify specific individuals, which companies acquire on every digital platform imaginable. These data point protections include routine website data requests such physical device specs, IP and email addresses, as well as general, basic identity data related to an online, living human being.
These contain information related to a data subject’s sex life and orientation, political opinions, ethnic/racial info, biometric data, genetic and health data, location, cookie and RFID tag data. GDPR cookie compliance is actioned by cookie banners on websites that permit data subjects to select and accept specific cookies for activation, rather than others.
Basic identity information also comprises user-generated data content such as the transmission of personal data online. Medical records, data subject images, browsing and online purchasing history, and social media posts on Facebook, Instagram, Tumblr, TikTok, Twitter and Mastodon, among others, are included and protected.
These rights bolster the agency individuals have over their own data:
It’s mandatory for companies doing business in EU countries to have a physical representative in the EU – either a subsidiary, corporate affiliate or data protection officer to be the point of contact for EU GDPR authorities and data subjects, one who also keeps processing records. If not, it’s possible to identify an independent entity or person as a “GDPR Representative as a Service” to ensure compliance.
Affirmative consent is the mainstay fueling GDPR compliance, and entails the shift from an “opt-out” tactic to “opting in” vis-à-vis collecting and processing data. Opting users in automatically and then allowing them to opt out is no longer allowed. Instead, explicit permission must be sought for every data scrape, collection, storage procedure and process; even getting a data subject’s email to add to a database.
Users have legal leverage to determine how their data is presented to themselves and others. Witness the recent lawsuit against Google for Android location tracking, in which Android users were misled into believing that by disabling the "Location History" in the device's settings, location tracking would be disabled. Not so fast – Google used another account setting to continue to collect, store and use individuals’ personally identifiable location data. Companies are also responsible for their vendors’ compliance with GDPR and the company subcontracting is liable for vendor infringements.
Furthermore, GDPR regulations apply to cloud-based storage and the onus is on the company using the service to ensure the cloud storage provider is GDPR compliant. Finally, with GDPR, human and user rights trump user experience. Our data-driven experiences are lived online and offline. We are constantly exposed in our personal and professional capacities to cyber-attacks, viruses, malware, DoS attacks, phishing scams, identity theft, website spoofing, ransomware, password theft and cyberstalking. POPIA and GDPR make our digital lives a safer and more robust place to be.
Look out for our post where we tell you about how a CRM tool, like HubSpot, offers solutions for GDOR compliance, while HubSpot partner, Velocity, removes the pain points of POPIA. Please go here for more about Velocity and POPIA.