What's popping with POPIA?

18 September 2019
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

In this blog post, we provide a quick overview of the POPI Act, how it differs from GDPR, and practical steps you can take towards POPI compliance, specifically for SAP systems.

What and when is POPIA?

The Protection of Personal Information Act (Act No. 4 of 2013), better known as POPI or POPIA, is a South African piece of data privacy legislation.  The intended purpose of the Act is to the privacy and integrity of people’s private and sensitive information. It allows South African data subjects, both as natural and juristic persons, to take control over their information and prohibited others from abusing it.

The POPI Act gives a government body, called the Information Regulator, the authority to enforce the law, as well as provide data subjects with a central point of contact when their personal data is being abused.

Although POPIA has been enacted, it will only come into effect once the Information Regulator is officially operational.  It is expected that this will happen in 2020. Once POPIA commences, there is a one-year grace period for organizations to comply.

It is hoped that this law will reduce the prevalence of crimes related to personal data, such as identity theft.  Watch this video to learn more about POPIA:

 
 
 
 
Video Thumbnail
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

POPIA vs GDPR - Similar, with a key difference

The POPI Act was developed shortly after the first drafts of GDPR became available. Consequently, POPIA used GDPR as a template to some extent, leaving the two pieces of legislation with striking similarities.

The table below provides a quick comparison of key areas of both GDPR and POPIA.  For a more detailed review, you can read our blog series, starting with this article.

 

POPIA

GDPR

Who must comply?

“Responsible parties” who decide on the reasons and purpose of data collected, and “operators” who provides data processing services.  This can be the same organization.

“Controllers” who determines the purpose and means of personal data processing, and “processors” who provides data processing services on behalf of controllers.  This can be the same organization.

Who is protected?

A data subject that is either a natural or juristic person

A data subject that is a natural person

What is protected?

"Personal information" defined as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person

Personal information that can be used to identify a natural person.

How are they protected?

Lawful basis and consent

Legal basis and consent

What are the consequences of non-compliance?

  1. Fines of between R1 million and R10 million or imprisonment of one to ten years in jail.
  2. Costs and payment of damages resulting from civil action.
  1. Penalties of 4% of annual global revenue or €20m, whichever is higher.
  2. Costs and payment of damages resulting from civil action.

The two laws are very similar with the major exception of how a data subject is defined. POPIA includes “juristic persons” as data subjects which broadens the definition significantly to potentially includes companies such as vendors or, in B2B operations, client companies. Watch this webinar below to find out more about GDPR and POPIA:

 
 
 
 
Video Thumbnail
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Register to continue watching

 
 
 
 

 

The first steps towards POPIA compliance

Typically, compliance programs start with a Data Privacy Impact Assessment (DPIA) – a mechanism for determining people, processes and systems involved. By undertaking a DPIA, you will be able to identify the main business risks with respect to the rights of data subjects. You can then identify what the risk of processing incorrect or inaccurate personal data may be to your business. During the DPIA, you will identify those processes which interact with your SAP systems. 

Steps involved in the DPIA include: 

  • Plan 
    • Identify team and stakeholders 
    • Define scope of the assessment 
  • Assess 
    • Track data flows across business process in scope 
    • Review existing legal and privacy policies 
    • Determine threats to privacy rights and business vulnerabiltiies
    • Determine controls and countermeasures 
  • Implementation of Controls 
    • Follow data privacy guidelines 
    • Determine privacy measures and responsibility matrix 
    • Design or select security features 
  • Sign off Report 
    • Define auditing procedures 
    • Create follow-up activities

You can find a full example of a DPIA implementation in Making POPIA Compliance Easier (From an SAP Perspective) (a comprehensive white paper).

Key steps to POPIA compliance for SAP systems

Asset 9@8x

When implementing a POPIA compliance project where SAP systems are involved, there are a number of phases that are typically followed:

  1. Assessment (a component of the DPIA)
    This phase of the compliance project creates a deeper understanding of the risks involved.  You’ll review sensitive data, access risk, retention policies, and data storage and interface security.

  2. Clean up / Baseline
    In this phase, you update SAP policies and processes to be POPIA compliant and redact any data that may impact on your compliance status.

  3. Operate
    During the operation phase, a number of actions are taken to maintain compliance such as scheduled redaction, data subject deletion requests, and breach management.

  4. Monitor
    An essential part of ongoing compliance is monitoring.  Effective monitoring activities allow you to understand how well processes are maintained, and where improvements can take place.

  5. Test
    Finally, during the test phase, changes resulting from the monitoring phase are implemented and further managed.

In our whitepaper, Making POPIA Compliance Easier (From an SAP Perspective), we explore these steps in more detail, provide clear directions on how technology can support your compliance journey, and provide nine recommendations to keep in mind during your compliance project.

White Paper CTA

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: