POPIA & Device Security

your compliance questions answered

Request Full Guidebook

i. What POPIA requires

POPIA includes a number of stated conditions, and each must be fulfilled in order for an organisation to remain in compliance with the law. POPIA's provisions require the Responsible Party to define the purpose for which they collect personal information, and inform the individual of what that purpose is.

What is POPIA?

POPIA is the South African Protection of Personal Information Act which regulates the processing and handling of Personal Data by a business or entity.

How is POPIA regulated?

The Information Regulator regulates POPIA (https://inforegulator.org.za). Parliament has gone to great lengths to give this regulator teeth. There are significant consequences for non-compliance.

What are the consequences of non-compliance?
  • Suffer reputational damage.
  • Lose customers and fail to attract new ones.
  • Pay out millions in damages in a civil class action.
  • Be fined up to R10 million or face 10 years in jail for committing an offence.

    • Of these, reputational damage is likely the biggest risk and most potentially harmful to an organisation.

    II. How POPIA affects south african businesses and organisations?

    POPIA sets conditions that any organisation processing personal information must comply with. Under POPIA, organisations in South Africa are required to protect the personal information they process.

    Some organisations will require special permission from the regulator for processing certain types of information as defined by the Act.


    Does POPIA apply to everybody?

    Yes, virtually everybody. POPIA applies to anyone who processes personal information. It applies to all public (like Municipalities and SARS) and private bodies (like financial institutions, healthcare providers and direct marketers).

    Do you have to comply with POPIA?

    Yes, you must comply with POPIA (and the consequences for non-compliance are quite severe). While this is the case, you do want to adhere to the law efficiently and get business value from your efforts.

    Who is the responsible party when personal information is processed?

    If you have decided to process personal information in a certain way, then you are the responsible party. The responsible party is the person that, alone or in conjunction with others, determines the purpose of and means (the why and the how) for processing personal information.

    III. What POPIA mean to you as the custodian of personal information

    Personal information includes information like race, gender, age and education, as well as the medical, financial, criminal or employment history of a person. Contact details like an email address, telephone number or location information are also included. Personal information is any information that relates to an identifiable, living, natural person and/or information that identifies an existing juristic person, such as a company, close corporation or trust.

    The conditions for lawful processing under POPIA apply even if personal information is public knowledge.
    Does the law now require information security?

    Yes, it does. You may have already been securing the information that you hold because it made business sense to do so. POPIA now places a legal obligation on you to secure the information you process. You must secure both the integrity and confidentiality of any personal information by taking appropriate, reasonable technical (such as using encryption) and organisational (such as policy) measures to prevent loss and unlawful access (hacking).

    Must you encrypt personal information?

    Yes, because it is a key technical measure for securing data. Encryption is the first line of defence for sensitive data and is a key aspect of complying with POPIA. However, encryption is often not fully sufficient on its own. For example, if somebody knows or hacks a password they can bypass the encryption. 

    Must you use email encryption when sending emails containing personal information?

    Yes. Although POPIA does not explicitly deal with email encryption, it does require you to take security measures that are appropriate and reasonable in relation to the nature of the personal information you process. If you send an email that contains personal information of such a nature that data subjects could suffer adverse harm if the email were hacked, it would be appropriate and reasonable to ensure that it is encrypted. The regulator would not look kindly on you if you were to send it unencrypted. Further to this point, data protection authorities around the world recognise encryption as one of the generally appropriate and reasonable security measures that you must take.

    If you lose a device, must you tell the regulator?
    Yes. If there are reasonable grounds for you to believe that an un-authorised person has accessed the personal information, you must notify:
  • the Information Regulator, and
  • each of the data subjects involved.
    • Can data be transferred across borders?

    You as a responsible party must protect the personal information of your data subjects when the data is transferred to a third party in another country. The other country may not have the same level of data protection as your country.

    IV. Practical Guidance on POPIA and how to comply

    If you use SMBsecure, must you notify regulators in the event of a lost or stolen device?

    No, you do not have to notify the information regulator or the data subjects, because an unauthorised person is unlikely to have accessed the personal information. There are three key elements to SMBsecure that make this happen:

  • Encryption
  • Access controls & Security Policies
  • Reporting for auditing and validations

    • Can SMBsecure safeguard personal information on USB drives and memory sticks?

    Yes, Memory sticks are high risk because people can copy large amounts of personal information onto them and they be easily lost or stolen because they its small size and portability. SMBsecure can do port blocking and when using the Premium service it can also protect the data on a memory stick the same way it does with other mobile devices, but provides protection and traceability beyond just creating an encryption vault; spanning functions including access control to rights management.

    Can SMBsecure safeguard personal information we send via email and help us comply with POPIA?

    Yes. Email encryption is one of the ways to protect data subjects from harm and further comply with POPIA. The neat and simple SMBsecure plugin for Outlook on PC can help you to accomplish end-to-end encryption for personal data being emailed and provides sufficient features and functions to accommodate most requirements.

    Can SMBsecure be used as a practical solution to comply?
  • SMBsecure helps you to comply with the POPIA law, while also offering significant business benefits.
  • SMBsecure can help you to protect and safeguard the personal information you might possess as a Responsible Party on mobile devices, including laptops, phones, tablets, and USB drives.
  • With SMBsecure you can encrypt data or devices, as well as remotely monitor and quarantine or wipe data as necessary to keep it from being exposed.
  • SMBsecure Email Encryption can help you secure and encrypt personal or sensitive data being emailed from the Outlook desktop client on Windows PC. The plugin for Microsoft Outlook uses open standard portable document format (PDF) so it is very easy for the recipient to open an encrypted PDF on any device (using a password), just as banks do when sending bank statements to you.
  • By using SMBsecure, you do not only apply, but can adequately prove the technical controls for compliance, through adequate auditing and reporting. Such validations are vital, but often missed and forgotten when standalone solutions are implemented, especially in smaller organisations .
    • Request Full Guidebook