POPI: Questions & Answers

Despite using different terminology (e.g. POPI refers to personal information, while the GDPR refers to personal data), many of the substantial obligations set out in the GDPR are also required by POPI.

For instance, just like the GDPR, POPI requires the processing of personal information to be adequate, relevant and not excessive (i.e. minimal) in relation to the purpose for which it is processed. This means that businesses complying with the GDPR have already made some headway in POPI compliance.

However there are some discrepancies between the legislation and in some instances, POPI has more stringent provisions than the GDPR. One such instance is that personal information under POPI applies to the personal information of both living natural persons and existing juristic persons where as the GDPR is confined to only personal data about natural persons.

It is therefore a good idea to always consult your legal adviser or the actual provisions of POPI to ensure that you are complying with your privacy obligations under POPI.

What is a ‘POPI Policy’?

A ‘POPI Policy’ is, broadly, a privacy policy which describes how an organisation collects, uses, stores, processes, and shares personal information of its data subjects.

It is important that an organisation takes its privacy obligations seriously and carefully considers the contents of its POPI Policy. Critically, no one size fits all when it comes to a privacy policy – organisations should avoid ‘off the shelf’ bought policies and rather tailor its POPI Policy to be applicable to its business. An organisation may require more than one POPI Policy – for internal purposes (i.e. its employees and prospective employees) and external (i.e. suppliers and services providers, on the one hand, and customers on the other).

An organisation’s POPI Policy should be effectively communicated to the data subjects concerned and POPI gives data subjects the right to be notified that personal information about him, her or it is being collected. In this regard we recommend that organisations host training sessions and educate its employees on the importance of data protection and its POPI Policy. An organisations POPI Policy may be embedded on its website (where applicable) and/or included in contractual arrangements with suppliers and customers.

Key take away:

Ensure your organisation has a privacy policy, or policies (as applicable); and

Review your employment, customer and supplier agreement to ensure that the contracts contain data protection clauses which align to your organisations privacy policies and/or incorporate, by reference, its privacy policy.

Data breach – now what?

A ‘data breach’ is not defined in POPI, but it generally refers to the access or acquisition of personal information by an unauthorised person. Where a data breach occurs, there exists an obligation on the responsible party to report the breach to (i) the Information Regulator; and (ii) the affected data subject (subject to certain limitations).

The notification must be made in writing as soon as reasonably possible after the discovery of the data breach. The notification must provide the data subject with sufficient information to allow the data subject to take protective measures against the potential consequences of the data breach.

Apart from any data breach notification obligations set out in POPI, there may be additional contractual obligations regarding what an organisation must do in the event of a data breach as set out in agreements with its suppliers, customers, or set out in its privacy policy.

Non-compliance with the obligation to notify is a breach of POPI and may, upon conviction of certain offences, lead to imprisonment, a fine, or both. To the extent that there are notification or other obligation in contract, an organisation must ensure adherence thereto to avoid a contractual breach. 

In order to ensure that an organisation meets all its obligations – under both POPI and contract – we recommend clients have a comprehensive incident response plan (Incident Response Plan) or IRP). This Incident Response Plan should set out what needs to be done by the organisation in the event of a data breach, including (but not limited to) who is assigned to respond to the breach; what the internal response times are; how the organisation will communicate the breach to the Information Regulator and data subjects and any other reporting requirements (both internally and externally).

An organisation could incur costs and losses as a result of the data breach. In this regard organisations should consider purchasing tailored cyber liability insurance which covers the losses associated with data breaches or cyber-attacks. An organisations Incident Response Plan should refer to this cyber liability insurance policy as notification to its insurers, and potentially external parties, will need to occur in accordance with the IRP.

Key take away:

• Ensure that your organisation has a comprehensive Incident Response Plan;
• Ensure that, where a data breach occurs, your organisation (i) notifies the Information Regulator; and (ii) each data subject impacted by the breach (to the extent applicable). We recommend that each organisation have a template data breach notification letter;
• In the event of a breach, ensure that the cause of the breach is investigated and repaired to avoid any further loss.

REASONABLE TECHNICAL AND ORGANISATIONAL MEASURES

What security safeguards would be regarded as appropriate?

Section 19(1) of POPI states that parties who process personal information must take “appropriate reasonable technical and organisational measures” to secure the integrity and confidentiality of personal information in its possession or under its control.

The measures provided for in section 19 are aimed at preventing the loss of, damage to or unauthorised destruction of personal information as well as unlawful access to or processing of personal information. Organisations should thus consider whether their current measures leave personal information vulnerable to being lost, damaged or destroyed and/or whether an unauthorised third party could easily access or process such personal information.

Organisations should ensure that the steps they take are appropriate within the context, and thus that the level of security is proportionately suitable and proper considering the personal information being processed. Accordingly, it would be appropriate for an organisation such as a hospital, which processes special personal information such as information regarding patients’ medical records, to have stricter and more robust data protection measures in place than a small business which only processes its clients’ email addresses and cellphone numbers.

These steps taken should also be reasonable, and organisations should thus measure their data protection safeguards against what would be logical, equitable and fair for an organisation in their position and not simply against a general standard or an organisation which is not comparable.

Which practical steps can a business take to comply?

The technical and organisational measures required by POPI are the pragmatic steps an organisation should implement to protect personal information. Organisations should consider the extent to which they process personal information as well as the nature of the personal information to assess which measures are appropriate. Section 19(2) of POPI sets the following requirements for organisations:

• Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control: An organisation should conduct an audit or similar exercise to evaluate any flaws in its data protection systems in place, in order to establish which of its systems and/or processes leave personal information at risk.
• Establish and maintain appropriate safeguards against the risks identified: Once an organisation knows where its data protection vulnerabilities lie, it should implement practical steps. These steps range from sophisticated information technology solutions such as firewalls, anti-virus programmes and encryption (a process whereby information is converted to a code, so that only authorised users can read it) to simpler steps such as only giving persons and devices access to personal information on a need-to-know basis, ensuring that all devices and servers are password protected, and ensuring employees are educated about basic information security protocols as well as the organisation’s information security policy.
• Regularly verify that the safeguards are effectively implemented: Once the practical steps have been implemented, an organisation should be sure that these steps work and work effectively.Appropriate testing, scanning and analyses is required to determine whether the data protection measures are efficient and are being adhered to.
• Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards: Organisations should be mindful of the fact that compliance with POPI and the effective protection of personal information is not a once-off activity, but an ongoing process. The practical steps an organisation has taken should thus be scrutinised and evaluated regularly to ensure that these are aligned to and updated for potential changes to the organisation’s business, the personal information it processes and/or the type of processing it engages in.

Section 19(3) adds that organisations must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. Certain industries may have additional responsibilities, such as those engaged in direct marketing or those processing personal information of minors, and organisations should ensure that they are well-informed about any particular additional obligations they may have.

What if processing of personal information is outsourced?

It is important to take note of the stipulation in section 19(1) that an organisation’s duty of care does not only apply to personal information in its possession, but also to personal information which is under its control.

If an organisation, in its capacity as a “responsible party” under POPI, outsources certain services which involve the processing of personal information, to a third-party (which POPI defines as an “operator”), that organisation remains liable for the protection of that personal information even though it is not processing the personal information itself. Organisations should therefore note that they cannot evade their data protection responsibilities simply by relying on a third-party service provider.

However, a third-party service provider may in some instances provide improved data security if it is a specialised service provider with stringent protection of personal information measures in place. To the extent that organisations rely on third-party service providers, these third parties should be reputable service providers with a proven track record.