South Africa’s Protection of Personal Information Act compliance

South Africa’s Protection of Personal Information Act compliance

Thales helps enterprises comply with key provisions of South Africa’s Protection of Personal Information Act.

Protection of Personal Information Act

South Africa’s Protection of Personal Information (POPI) Act aims to ensure that organisations operating in South Africa exercise proper care when collecting, storing or sharing personal data.

Thales’s access management and authentication solutions and CipherTrust data security platform provide tools you need to help comply with the POPI Act and prevent data breaches. Should a breach occur, you may be able to avoid the public breach notification if affected data has been encrypted with the CipherTrust Platform.

Thales supports your compliance efforts by helping you:

  • Authenticate and manage access
  • Prevent breaches through granular controls and separating privileged user access from sensitive data
  • Avoid breach notification requirements by encrypting or tokenising the data
  • Identify irregular access patterns and breaches in progress through security intelligence logs
  • Regulation
  • Compliance

Summary

South Africa’s POPI Act requires organisations to adequately protect sensitive data or face large fines, civil lawsuits or even prison. The Act extends to data subjects certain rights that give them control over how their personal information can be collected, processed, stored and shared.

Penalties

According to Chapter 11 (Offences, Penalties and Administrative Fines) of the POPI Act:

107. Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of –

(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for period not exceeding 10 years, or to both a fine and such imprisonment; or

(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.

According to Chapter 11, “a Magistrate’s Court has jurisdiction to impose any penalty provided for in section 107.”

Compliance summary

Condition 7 of the POPI Act outlines the criteria for securing personal information. Thales helps enterprises address two of the key aspects of Condition 7:

Item 19 of Condition 7 states that an organisation must secure the integrity and confidentiality of personal information against loss, damage, unauthorised destruction and prevent unlawful access. Item 19 also requires organisations to assess the potential risks to personal information and to establish safeguards against such risks. These safeguards must be regularly assessed, maintained, updated and audited to ensure a company’s compliance.

Item 22 outlines the action that organizations must take if “the personal information of a data subject has been accessed or acquired by any unauthorised person”. The responsible party must notify the Regulator and the data subject whose data has been breached “as soon as reasonably possible after the discovery of the compromise.” The Regulator has the right to force the organisation concerned to publish details of the data breach with the only exception being the security of either the nation or the individuals.

Best practice for securing the integrity and confidentiality of personal information against loss, damage, unauthorised destruction, and unlawful access is strong access management and authentication combined with transparent encryption, integrated cryptographic key management and security intelligence. Thales provides the following solutions to help organisations comply with South Africa’s POPI Act.

Data discovery and classification

The first step in protecting sensitive data is finding the data wherever it is in the organisation, classifying it as sensitive and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organisation does not fall out of compliance.

Thales’s CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.

Protection of sensitive data at rest

Separation of privileged access users and sensitive user data

With the CipherTrust data security platform, administrators can create a strong separation of duties between privileged administrators and data owners. CipherTrust transparent encryption encrypts files, while leaving their metadata in the clear. In this way, IT administrators – including hypervisor, cloud, storage and server administrators – can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.

Separation of administrative duties

Strong separation of duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys or administration. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.

Granular privileged access controls

The CipherTrust data security platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.

Strong access management and authentication

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organisations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy-driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Support for smart single sign on and step-up authentication allows organisations to optimise convenience for end users, ensuring they only have to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.

Protection of sensitive data in motion

Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice and metadata from eavesdropping, surveillance and overt and covert interception — all at an affordable cost and without performance compromise.

Secure your digital assets, comply with regulatory and industry standards and protect your organisation’s reputation. Learn how Thales can help.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Thales CipherTrust Data Discovery and Classification

Thales CipherTrust Data Discovery and Classification - Product Brief

The crucial first step in privacy and data protection regulatory compliance is to understand what constitutes sensitive data, where it is stored, and how it is used. If you don't know what sensitive data you have, where it is, and why you have it, you cannot apply effective...

SafeNet Trusted Access - Solution Brief

SafeNet Trusted Access - Solution Brief

More and more cloud-based services are becoming an integral part of the enterprise, as they lower costs and management overhead while increasing flexibility. Cloud-based authentication services, especially when part of a broader access management service, are no exception, and...

Guide to Authentication Technologies - White Paper

A Comprehensive Guide to Authentication Technologies and Methods - White Paper

Authentication solutions need to be frictionless. Adopting methods with a higher Authentication Assurance Level and Stronger authentication, can effectively reduce the risk of attacks. Explore authentication technologies to learn: • Selecting authentication methods •...

CipherTrust Transparent Encryption - White Paper

CipherTrust Transparent Encryption - White Paper

Enterprise digital transformation and increasingly sophisticated IT security threats have resulted in a progressively more dangerous environment for enterprises with sensitive data, even as compliance and regulatory requirements for sensitive data protection rise. With attacks...

CipherTrust Transparent Encryption - Product Brief

CipherTrust Transparent Encryption - Product Brief

Safeguarding sensitive data requires much more than just securing a data center’s on-premises databases and files. The typical enterprise today uses three or more IaaS or PaaS providers, along with fifty or more SaaS applications, big data environments, container technologies,...

High Speed Encryption Solutions - Solution Brief

High Speed Encryption Solutions - Solution Brief

Networks are under constant attack and sensitive assets continue to be exposed. More than ever, leveraging encryption is a vital mandate for addressing threats to data as it crosses networks. Thales High Speed Encryption solutions provide customers with a single platform to ...

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

The Key Pillars for Protecting Sensitive Data in Any Organization - White Paper

Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...

The Enterprise Encryption Blueprint - White Paper

The Enterprise Encryption Blueprint - White Paper

You’ve been tasked with setting and implementing an enterprise wide encryption strategy, one that will be used to guide and align each Line of Business, Application Owner, Database Administrator and Developer toward achieving the goals and security requirements that you define...

Unshare and Secure Sensitive Data - Encrypt Everything - eBook

Unshare and Secure Sensitive Data - Encrypt Everything - eBook

Business critical data is flowing everywhere. The boundaries are long gone. As an enterprise-wide data security expert, you are being asked to protect your organization’s valuable assets by setting and implementing an enterprise-wide encryption strategy. IT security teams are...