South Africa’s Protection of Personal Information (POPI) Act aims to ensure that organisations operating in South Africa exercise proper care when collecting, storing or sharing personal data.
Thales’s Vormetric Data Security Platform provides tools you need to help comply with the POPI Act, and prevent data breaches. Should a breach occur, you may be able to avoid the public breach notification if affected data has been encrypted with the Vormetric Platform.
Thales supports your compliance efforts by helping you:
South Africa’s POPI Act, which became law on 11th April, 2014, requires organisations to adequately protect sensitive data or face large fines, civil law suits or even prison. The Act extends certain rights to data subjects that give them control over how their personal information can be collected, processed, stored and shared.
According to Chapter 11 (Offences, Penalties and Administrative Fines) of the POPI Act:
107. Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of–
(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for period not exceeding 10 years, or to both a fine and such imprisonment; or
(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.
According to Chapter 11, “a Magistrate’s Court has jurisdiction to impose any penalty provided for in section 107.”
Condition 7 of the POPI Act outlines the criteria for securing personal information. Thales helps organisations address two of the key aspects of Condition 7:
Item 19 of Condition 7 states that an organisation must secure the integrity and confidentiality of personal information against loss, damage, unauthorised destruction and prevent unlawful access. Item 19 also requires organisations to assess the potential risks to personal information and establish safeguards against such risks. These safeguards must be regularly assessed, maintained, updated and audited to ensure a company’s compliance.
Item 22 outlines the action that organisations must take if “the personal information of a data subject has been accessed or acquired by any unauthorised person.” The responsible party must notify the Regulator and the data subject whose data has been breached “as soon as reasonably possible after the discovery of the comprise.” The Regulator has the right to force the organisation concerned to publish details of the data breach with the only exception being the security of either the nation or the individuals.
To address Item 19, Thales’s Vormetric Data Security Platform helps safeguard personal data against loss, damage, as well as unauthorised destruction or unauthorised access. Specifically, Vormetric Transparent Encryption protects personal information with data-at-rest encryption using the AES hardware encryption algorithms built into system CPUs. Further, Vormetric Transparent Encryption’s integrated Key Management offers highly secure, centralized protection of encryption keys.
Vormetric Transparent Encryption provides data-centric protection that ensures that, if data is stolen, it is unintelligible to those who steal it. Therefore, organisations can avoid the breach notification requirement in Item 22 because data subjects’ personal information will not have been compromised.
Moreover, Thales help you prevent breaches from happening in the first place through:
Thales protects the data itself through Vormetric Transparent Encryption with integrated Key Management for data at rest, Application Encryption, Tokenization with Dynamic Masking and other solutions. These techniques make the data meaningless and worthless without the keys to decrypt it.
The Vormetric Data Security Platform, from Thales, provides state of the art user access control:
Thales lets the enterprise monitor and identify extraordinary data access. Vormetric Security Intelligence Logs are detailed management logs that specify which processes and users have accessed protected data. They specify when users and processes accessed data, under which policies, and if access requests were allowed or denied. The management logs will even expose when a privileged user submits a command like 'switch users' in order to attempt to imitate, and potentially exploit, the credentials of another user. Sharing these logs with a security information and event management (SIEM) platform helps uncover anomalous patterns in processes and user access, which can prompt further investigation.
With Vormetric Key Management, you can centrally manage keys from all Vormetric Data Security Platform products, and securely store and inventory keys and certificates for third-party devices—including IBM Security Guardium Data Encryption, Microsoft SQL TDE, Oracle TDE, and KMIP-compliant encryption products. By consolidating key management, this product fosters consistent policy implementation across multiple systems and reduces training and maintenance costs.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.