Here's why you are not POPIA/GDPR compliant

The Protection of Personal Information Act (POPIA) took effect on 01 July 2021, and applies to any entity processing personal data which is resident in SA, or not domiciled but uses digital or physical methods of processing biometric or behavioural data in the country. In this article, we take a look at both POPIA and GDPR, compare the two and look at the most common reasons why businesses are not compliant with these laws.

Covered In This article:

Last-minute Scrambling 
Skipping These POPIA Conditions
The Difference Between POPIA And GDPR
Eight Personal Data And Privacy Rights Maintained By GDPR
Ignoring Assistance

Last-minute Scrambling

While corporations scrambled to be compliant to avoid fines of up to R10 million for failing to protect their consumers' or data subjects’ personal data (including how their data is accessed, stored, controlled and used), many local companies still lag behind 100% compliance to a formalised POPIA programme.

Reasons may include the lack of guidance, internal channels or knowledge, reluctant uptake into corporate culture, as well as reliance on paper documents and legacy storage. The following touchpoints explain why your company may not be POPIA compliant.

• Information Officer

It is obligatory to appoint an information officer, the person who is responsible for ensuring that the organisation complies with the POPI Act, and register them with the information regulator.

• File Plan Or Business Classification Scheme

A formalised classification system needs to be developed so records can be identified, stored, retrieved and managed, across all formats and locations.

• Records Retention

Records must be captured, kept up-to-date and maintained − only of those data subjects which are relevant to the purpose, only for the length of time for which they are required, and only for the purpose for which they were gathered. This requires the creation of a records retention schedule.

• Records Disposal

A disposal programme of all records (not limited to personal records) must be put in place and followed. Duplicates must be destroyed, either in paper or electronic formats. The paper must be shredded and devices thoroughly expunged and wiped clean of all relevant data.

Skipping These POPIA Conditions

• Processing Limitation

Processing information must be obtained directly from the data subject with their consent, processed in a fair and lawful manner, and only info required for the specific purpose for which it is gathered may be stored. The data subject must consent to information gathered from third parties, and also to info gathered for future use.

• Purpose Specific

The purpose – explicit, legitimate and lawful – for which personal data is collected must be documented, adhered to and understood by the data subject, and the data destroyed after it’s used for the purpose it was gathered. Organisations must account for the data they hold and set a date for its destruction.

• Further Processing Limitation

Personal data may not be processed for a secondary purpose unless that processing is compatible with the original purpose. Reuse requires permission from the data subject, who must be made aware of the continuous use of their data.

• Information Quality

It is necessary to validate captured data in real-time from the data subject to ensure its accuracy and reliability, and if the data is not inputted by the data subject themselves or if it is captured between formats (eg. paper to IT), the data subject must then validate the data. Data subjects must be kept abreast of methods of updating their info or withdrawing consent for their data use entirely.

• Openness

Proof of consent from data subjects as to the method of their data gathering must be obtained, and they must be made aware of the purpose of the collection. Data subjects need to know the contact details of the information regulator, their right to lodge a complaint, and how to lodge a complaint.

• Security Safeguards

Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure. This requires a safety and security risk assessment, and a procedure in place to safeguard against risks and prevent data from falling into the wrong hands. For example, USBs, data DVDs and external hard drives must be stored with paper files in a secured repository. Encryption software and firewalls must be installed and tested regularly.

It’s also necessary to define which employees have access to what data, and what to do when data is accessed or changed in the case of a data breach – how to identify the source, how to neutralise the breach, how to update safeguards in response to new risks, and how to prevent a data breach reoccurrence. For example, by changing the network password regularly.

The data subject whose data has been breached must be informed (by email or in writing) as soon as reasonably possible, and information conveyed as to how they may safeguard against the consequences of said breach. The Information Regulator must also be informed in such an event.

When sharing data with third parties and external operators, background checks should be conducted. A contract must be written up to guarantee the third party adheres to the security measures, and the operator is required to immediately advise if there has been unauthorised access or acquisition of personal info.

An incident response plan should include a list of contacts including PR and law firms, forensic data experts and credit monitoring companies to minimise harm to your company and the data subject.

• Data Subject Participation

Data subjects may request information from you on whether you are holding their personal information. This request may not be declined and may not be charged for. The full nature and details of the information being held must also be provided on request but a charge may be levied for this information. Data subjects must have recourse to correct their data and withdraw their consent for use of their data at any time.

The Difference Between POPIA & GDPR (General Data Protection Regulation)

It seems a moot point for SA companies whether to comply with GDPR or POPIA first as both deadlines have expired (GDPR was 25 May 2018 and POPIA was 01 July 2021). However, it is recommended that adherence to both be conducted simultaneously. Both are data protection laws and share more similarities than differences. GDPR is more an update and less an overhaul, and compliance to both just requires some minor tweaking.

GDPR is a regulatory framework that applies to any data processing done by a controller in the EU. It obligates corporations to safeguard the personal data and information of EU data subjects regarding transactions which take place within EU member states. It also applies to any company with a presence in an EU country, even if the entity processing the data is not in the EU, offering products and services to EU citizens.

As the EU represents one of SA’s biggest trading partners, local companies trading in EU countries are required to adhere to POPIA and GDPR. There are rumblings that POPIA should be amended to fit GDPR to avoid duplication of regulations, but the consensus is that SA entities need dual compliance.

GDPR & POPIA Similarities

Both require an information officer/regulator (registered under POPIA) or a data protection officer (DPO for GDPR). The DPO is nominated by the data controller or processor for companies processing significant amounts of personal user data. The DPO’s responsibilities include monitoring data protection policy, storage and transfer processes, educating employees about compliance, taking action regarding data subject access requests, and being the go-between for the organisation and GDPR authorities.

SA refers to “protection of personal information”, other countries use the term “data protection” and the US mentions “data privacy”, but all phrases have the same meaning. The security duties of the DPO and the information officer differ in wording, however.

GDPR & POPIA Differences

GDPR makes no provision for legal or public sector body protection, and exempts certain SMEs from keeping records, unlike POPIA, as well as exempting some organisations from having a data protection officer, unlike POPIA’s provision for same. GDPR features the right to be forgotten and data portability, and requires data protection impact assessments. Penalties for GDPR infringement also differ from those of POPIA.

Ignoring GDPR Compliance

The following guidelines are a good indication of whether or not your company is GDPR-compliant.

GDPR rules manage the majority of personal data points about data subjects, used to identify specific individuals, which companies acquire on every digital platform imaginable. These data point protections include routine website data requests such physical device specs, IP and email addresses, as well as general, basic identity data related to an online, living human being.

These contain information related to a data subject’s sex life and orientation, political opinions, ethnic/racial info, biometric data, genetic and health data, location, cookie and RFID tag data. GDPR cookie compliance is actioned by cookie banners on websites that permit data subjects to select and accept specific cookies for activation, rather than others.

Basic identity information also comprises user-generated data content such as the transmission of personal data online. Medical records, data subject images, browsing and online purchasing history, and social media posts on Facebook, Instagram, Tumblr, TikTok, Twitter and Mastodon, among others, are included and protected.

Eight Personal Data & Privacy Rights Maintained By GDPR

These rights bolster the agency individuals have over their own data:

• The right to access: Data subjects are within their rights to request access to their personal data. They are entitled to know how their data is used, processed, stored, or transferred to other entities. Free electronic copies of personal data must be provided upon request within a month.
• The right to be informed: Individuals must be informed and give consent (not automatically implied) before gathering and processing their data.
• The right to data portability: This enables users to transfer their info at any time from one service provider to another, in a format that is easily used and read by devices.
• The right to be forgotten: When users become former users or no longer consent to have their data used, they may have their data deleted.
• The right to object: The immediate termination of data use and processing is the right of any user to request.
• The right to restrict processing: Data subjects are able to request an end to general or specific processing of their data, and have the option of choosing their data to remain intact.
• The right to be notified: People are to be notified by a data protection officer within 72 hours of a compromising personal data breach discovery by a company, and the company is not allowed to instigate procedures that acquit them from countering such data breaches.
• The right to rectification: Users are enabled to request the updating, completion, or correction of their data.

It’s mandatory for companies doing business in EU countries to have a physical representative in the EU – either a subsidiary, corporate affiliate or data protection officer to be the point of contact for EU GDPR authorities and data subjects, one who also keeps processing records. If not, it’s possible to identify an independent entity or person as a “GDPR Representative as a Service” to ensure compliance.

Affirmative consent is the mainstay fueling GDPR compliance, and entails the shift from an “opt-out” tactic to “opting in” vis-à-vis collecting and processing data. Opting users in automatically and then allowing them to opt out is no longer allowed. Instead, explicit permission must be sought for every data scrape, collection, storage procedure and process; even getting a data subject’s email to add to a database.  

Users have legal leverage to determine how their data is presented to themselves and others. Witness the recent lawsuit against Google for Android location tracking, in which Android users were misled into believing that by disabling the "Location History" in the device's settings, location tracking would be disabled. Not so fast – Google used another account setting to continue to collect, store and use individuals’ personally identifiable location data. Companies are also responsible for their vendors’ compliance with GDPR and the company subcontracting is liable for vendor infringements.

Furthermore, GDPR regulations apply to cloud-based storage and the onus is on the company using the service to ensure the cloud storage provider is GDPR compliant. Finally, with GDPR, human and user rights trump user experience. Our data-driven experiences are lived online and offline. We are constantly exposed in our personal and professional capacities to cyber-attacks, viruses, malware, DoS attacks, phishing scams, identity theft, website spoofing, ransomware, password theft and cyberstalking. POPIA and GDPR make our digital lives a safer and more robust place to be.

Ignoring Assistance

Look out for our post where we tell you about how a CRM tool, like HubSpot, offers solutions for GDOR compliance, while HubSpot partner, Velocity, removes the pain points of POPIA. Please go here for more about Velocity and POPIA.