POPIA and Email Data: How to Comply Affordably
If your business is based in South Africa, here’s what you need to know about the Protection of Personal Information Act (POPIA). This short guide outlines your organisation’s responsibilities, how the act compares with GDPR and how it applies to email data.
Some reassuring words
While you get to grips with POPIA, it’s good to know that compliance with regards to your organisation’s email data is easier than you think. You can address it and GDPR compliance, as well as forensics and business continuity, all together with one easy-to-use and affordable email archiving solution. More about that shortly. First, here's what you need to know about POPIA.
Background: meeting international privacy standards
Privacy rights and the need to protect personal information have been issues for some time now. Not just in South Africa, but in many other countries as well. With organisations collecting increasing amounts of electronic personal data, something had to be done to protect it.
This is why the EU introduced the General Data Protection Regulation (GDPR), which came into force in 2018.
In the US, the state of California’s Consumer Privacy Act (CCPA) took effect in 2020 and will be complemented in 2023 by the California Privacy Rights Act (CPRA). Other states are looking to follow them with similar legislation.
Australia and New Zealand have recently tightened up their privacy/personal data laws too.
And now, South Africa joins them with the Protection of Personal Information Act (POPIA).
Developed over many years, and closely connected to the country’s constitution, POPIA came into effect on 1 July 2021. The Act recognises that “section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy”. This includes “a right to protection against the unlawful collection, retention, dissemination and use of personal information”.
The new law is designed to “regulate, in harmony with international standards”. There are similarities and differences with GDPR, which you can read about below.
How does POPIA define personal information?
The act says personal data is information that relates to an identifiable living person or, in some cases, to an identifiable, existing juristic person (that is, a company or other similar legal entity). Relevant data also includes account numbers and “special personal information” about a data subject’s:
- religious or philosophical beliefs
- race or ethnic origin
- trade union membership
- political persuasion
- criminal behaviour (with certain exceptions)
- biometrics (with certain exceptions)
Which organisations does POPIA affect?
The POPI Act applies to any public or private body that collects and processes the personal information described above of any South African citizen or organisation.
The industries most affected are financial services, healthcare, and marketing.
How does POPIA affect your business?
Under the POPI Act, your organisation must have an appointed information officer.This person is responsible for ensuring your business complies with the act. The officer’s duties are described on this Government website.
There are eight conditions your organisation must meet to process personal information lawfully. They are:
- Accountability. It’s the responsibility of your business to make sure the conditions for lawful processing are met.
- Processing limitation. Your business must be able to justify the processing of personal information so that it’s done lawfully and minimally, on grounds recognised under POPIA, such as consent or legitimate interests. Also, you must have the data subject's consent, unless certain exceptions apply.
- Purpose specification. Your business must have a specific, explicitly defined and lawful purpose for processing the information, and comply with POPIA’s retention and restriction of records provisions.
- Further processing limitation. Further processing must be in accordance with or compatible with the purpose for which your business originally collected it. This is subject to limited exceptions.
- Information quality. Your business must take steps to make sure the information is complete, accurate, not misleading and updated when this is necessary.
- Openness.Your business must document all processing operations and make sure the data subject knows that you are collecting their personal information and how you intend to use it.
- Security safeguards. Your business must:
- take appropriate, reasonable technical and organisational measures to securely maintain the integrity and confidentiality of any personal information it holds;
- have a written contract to ensure that the operator processing personal information for your business has established security measures and maintains them;
- if personal data is discovered to be compromised (for example, hacked or lost), your business must notify the Information Regulator and the data subject as soon as reasonably possible after the discovery.
- Data subject participation. Your organisation must allow a data subject to see the personal information you hold on them, if the data subject asks you. Also, you may need to correct, delete or destroy personal information.
Is POPIA like GDPR?
South African companies that deal with EU citizens must comply with GDPR, which is similar to POPIA. Both are designed to:
- Protect individuals’ rights to privacy – one of South Africans, and the other of EU citizens.
- Make organisations that collect or process personal information responsible for safeguarding that data from theft, loss and misuse.
- Force businesses to take or implement appropriate technical and organisational measures to protect that data.
- Require organisations to appoint a person to oversee their compliance. POPIA calls this person “the information officer”, and GDPR refers to them as the “data protection officer”.
Where are the two laws different?
- With POPIA, every organisation must have an information officer, while GDPR compels only some to have a data protection officer.
- GDPR applies only to individual people. POPIA extends to collected information from juristic persons (companies or similar legal entities).
- POPIA covers more categories of personal information, such as religious affiliations (see list above).
- POPIA’s fines for negligence in protecting data – up to ZAR 10 million, or US$700,000 – are less severe than GDPR’s. (With either law though, for more serious offences, you could face a prison sentence.)
- GDPR exempts some SMEs from having to keep records.
- GDPR grants data subjects the “right to be forgotten” – that is, you must delete any personal data you hold of theirs if they ask you to. In contrast, with POPIA, the information a data subject can make you delete must be inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading or obtained unlawfully.
POPIA and email data
Your organisation’s old emails – both sent and received – contain lots of personal data of the types covered by POPIA:
- Employee data, ranging from CVs and contact details to performance reviews
- Customer and supplier correspondence including personal details
You’ve probably archived many years’ worth of such emails. So, it’s crucial to make sure you have an email archiving solution that can meet POPIA’s regulations.
Compliant, affordable email archiving
The good news is that you can easily comply with both POPIA and GDPR by implementing Cryoserver, an email archiving solution used by organisations of all types and sizes.
Not only does Cryoserver store emails securely; it also enables quick.forensic access and supports your business continuity.
Cryoserver is designed to meet any standard of privacy compliance in the world (as our parent company’s name promises: Forensic & Compliance Systems).
That’s why many South African and European businesses choose it. Other attractions include:
- a choice of on-premises solutions and cloud solutions (from a portfolio of data centres across the world including South Africa – we can ensure your data resides in RSA)
- a secure, independent, tamper-evident archive
- ensuring the integrity of emails so they can be used as evidence in court
- ease of use
- a lightning-quick search tool – essential for subject access requests under POPIA or GDPR, or for e-Discovery; users can find emails in seconds
- usefulness as an everyday business tool for all departments
- authorised user access controls
- fully audited access
- quick, simple, audited deletion of personal data when required by POPIA or GDPR
- greater flexibility of data ownership compared with other solutions
- the affordability of our on-prem solution compared with competitors
- our tech support team, who are famous for their knowledge and helpfulness