Insights into PoPIA compliance

Issue 3 2021 Security Services & Risk Management

By now everyone knows PoPIA (The Protection of Personal Information Act) becomes a reality on 1 July 2021 and there will be no extensions. For those who may not have prepared or even know what they need to be doing, Hi-Tech Security Solutions asked Carrie Peter, solution owner at Impression Signatures for a few insights on what this piece of legislation means in the real world.

Hi-Tech Security Solutions: What are the realities when it comes to PoPIA compliance? Do companies have to reinvent the wheel to be compliant?

Carrie Peter: In some cases they will have to reinvent the wheel, but that will be dependent on their internal security and privacy controls. From something as simple as a customer completed form, to far more complex systems that hold deeply private data such as medical records, minimalism and privacy needs to be baked in. The extent to which a company will have to reinvent the wheel will depend on where the company is at starting position.

Carrie Peter.

Due to safety and privacy issues, many organisations may already be in a position where they have been complying to regulations, such as informing the customer of the reason for retaining information. For these organisations, compliance may just involve slight adjustments in protocol. For other organisations, compliance may entail more extensive steps and re-configurations.

Hi-Tech Security Solutions: Apart from the threats of jail for directors, what are the real risks of non-compliance (from legal and other perspectives)?

Carrie Peter In addition to potential imprisonment, non-compliance may lead to heavy fines. Section 107 of the Act states: “For the more serious offences the maximum penalties are a R10 million fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. For the less serious offences, for example, hindering an official in the execution of a search and seizure warrant, the maximum penalty would be a fine or imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.”

Further to this, the costs that can be caused by data breaches and security issues can make the fines seem light. Reputational damage, productivity losses and data losses can cause millions of rands in damage. Responding to a minor cyber incident can cost millions of rands. Organisations that do not comply also run the risk of losing the confidence of their customers and clients, since the Act has been instated to protect the privacy and confidentiality of their information, this loss of trust can potentially result in a downturn in business.

Hi-Tech Security Solutions: What should companies be ready for in terms of people asking what private information the organisations hold for them? Can an individual insist a company provides and then deletes all info they have on them? How long does a company have to supply/delete such personal information?

Carrie Peter: According to the Act, the data subject must be informed about the reason for the information requested. The organisation also has to inform the data subject about and gain permission for, the sharing of that personal information to any additional third parties. The data subject has the right to request the reason for personal information obtained at any time.

The data subject also has the right to request what information an organisation has about the subject and to order the deletion of that information. The organisation must comply and the information must be deleted immediately upon request without any penalties, conditions or fines to the data subject.

Hi-Tech Security Solutions: With 1 July looming, what are your top three tips for companies to ensure they are compliant or will be compliant?

Carrie Peter: My suggestions are:

1. Understand what private data you hold and what private data you need to hold – gather and hold only what you need.

2. Understand consent – it is fine to gather and hold data if you have consent to do so. Make sure that all data obtained has the consent of the data subject.

3. Trust no one – develop a risk management and mitigation programme and regularly assess your day-to-day practices against this. Keep record of compliance measures at all times.

For more information go to


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Integrated, mobile access control
SA Technologies Entry Pro Technews Publishing Access Control & Identity Management
SMART Security Solutions spoke to SA Technologies to learn more about what is happening in the estate access world and what the company offers the residential estate market.

Natural catastrophes and fire risks top concerns
Security Services & Risk Management Asset Management Residential Estate (Industry)
Natural disasters are the highest risk in the real estate industry, followed by fire and explosions, and then business interruption. Estates must prioritise risk management and take proactive measures to safeguard their assets, employees, and reputation.

New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

Building a solid foundation
Alwinco Security Services & Risk Management Asset Management Residential Estate (Industry)
Understanding the roles of a Risk Assessor and a Risk Manager is like building a solid and secure foundation in the security world. Andre Mundell makes it easy to understand.

SMART Estate Security returns to KZN
Nemtek Electric Fencing Products Technews Publishing Axis Communications SA OneSpace Editor's Choice News & Events Integrated Solutions IoT & Automation
The second SMART Estate Security Conference of 2024 was held in May in KwaZulu-Natal at the Mount Edgecombe Estate Conference Centre, which is located on the Estate’s pristine golf course.

Using KPIs to measure smart city progress
Axis Communications SA Residential Estate (Industry) Integrated Solutions Security Services & Risk Management
United 4 Smart Sustainable Cities is a United Nations Initiative that encourages the use of information and communication technology (including security technology) to support a smooth transition to smart cities.

Enhancing estate security, the five-layer approach
Fang Fences & Guards Residential Estate (Industry) Integrated Solutions Security Services & Risk Management
Residential estates are designed to provide a serene and secure living environment enclosed within gated communities, offering residents peace of mind and an elevated standard of living.

Creating employment through entrepreneurship
Technews Publishing Marathon Consulting Editor's Choice Integrated Solutions Residential Estate (Industry)
Eduardo Takacs’s journey is a testament to bona fide entrepreneurial resilience, making him stand out in a country desperate for resilient businesses in the small and medium enterprise space that can create employment opportunities.

From the editor's desk: Just gooi a cable
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Estate Security Handbook. We focus on a host of topics, and this year’s issue also has a larger-than-normal Product Showcase section. Perhaps the vendors are ...

Kaspersky finds 24 vulnerabilities in biometric access systems
Technews Publishing Information Security
Customers urged to update firmware. Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco, allowing a nefarious actor to bypass the verification process and gain unauthorised access.