South Africa’s Protection of Personal Information Act compliance
Thales helps enterprises comply with key provisions of South Africa’s Protection of Personal Information Act.
South Africa’s Protection of Personal Information (POPI) Act aims to ensure that organisations operating in South Africa exercise proper care when collecting, storing or sharing personal data.
Thales’s access management and authentication solutions and CipherTrust data security platform provide tools you need to help comply with the POPI Act and prevent data breaches. Should a breach occur, you may be able to avoid the public breach notification if affected data has been encrypted with the CipherTrust Platform.
Thales supports your compliance efforts by helping you:
South Africa’s POPI Act requires organisations to adequately protect sensitive data or face large fines, civil lawsuits or even prison. The Act extends to data subjects certain rights that give them control over how their personal information can be collected, processed, stored and shared.
According to Chapter 11 (Offences, Penalties and Administrative Fines) of the POPI Act:
107. Any person convicted of an offence in terms of this Act, is liable, in the case of a contravention of –
(a) section 100, 103(1), 104(2), 105(1), 106(1), (3) or (4) to a fine or to imprisonment for period not exceeding 10 years, or to both a fine and such imprisonment; or
(b) section 59, 101, 102, 103(2) or 104(1), to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.
According to Chapter 11, “a Magistrate’s Court has jurisdiction to impose any penalty provided for in section 107.”
Condition 7 of the POPI Act outlines the criteria for securing personal information. Thales helps enterprises address two of the key aspects of Condition 7:
Item 19 of Condition 7 states that an organisation must secure the integrity and confidentiality of personal information against loss, damage, unauthorised destruction and prevent unlawful access. Item 19 also requires organisations to assess the potential risks to personal information and to establish safeguards against such risks. These safeguards must be regularly assessed, maintained, updated and audited to ensure a company’s compliance.
Item 22 outlines the action that organizations must take if “the personal information of a data subject has been accessed or acquired by any unauthorised person”. The responsible party must notify the Regulator and the data subject whose data has been breached “as soon as reasonably possible after the discovery of the compromise.” The Regulator has the right to force the organisation concerned to publish details of the data breach with the only exception being the security of either the nation or the individuals.
Best practice for securing the integrity and confidentiality of personal information against loss, damage, unauthorised destruction, and unlawful access is strong access management and authentication combined with transparent encryption, integrated cryptographic key management and security intelligence. Thales provides the following solutions to help organisations comply with South Africa’s POPI Act.
The first step in protecting sensitive data is finding the data wherever it is in the organisation, classifying it as sensitive and typing it (e.g. PII, financial, IP, HHI, customer-confidential, etc.) so you can apply the most appropriate data protection techniques. It is also important to monitor and assess data regularly to ensure new data isn’t overlooked and your organisation does not fall out of compliance.
Thales’s CipherTrust Data Discovery and Classification efficiently identifies structured as well as unstructured sensitive data on-premises and in the cloud. Supporting both agentless and agent-based deployment models, the solution provides built-in templates that enable rapid identification of regulated data, highlight security risks and help you uncover compliance gaps. A streamlined workflow exposes security blind spots and reduces remediation time. Detailed reporting supports compliance programs and facilitates executive communication.
With the CipherTrust data security platform, administrators can create a strong separation of duties between privileged administrators and data owners. CipherTrust transparent encryption encrypts files, while leaving their metadata in the clear. In this way, IT administrators – including hypervisor, cloud, storage and server administrators – can perform their system administration tasks, without being able to gain privileged access to the sensitive data residing on the systems they manage.
Strong separation of duties policies can be enforced to ensure one administrator does not have complete control over data security activities, encryption keys or administration. In addition, the CipherTrust Manager supports two-factor authentication for administrative access.
The CipherTrust data security platform can enforce very granular, least-privileged-user access management policies, enabling protection of data from misuse by privileged users and APT attacks. Granular privileged-user-access management policies can be applied by user, process, file type, time of day and other parameters. Enforcement options can control not only permission to access clear-text data, but what file-system commands are available to a user.
Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organisations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy-driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.
Support for smart single sign on and step-up authentication allows organisations to optimise convenience for end users, ensuring they only have to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.
Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice and metadata from eavesdropping, surveillance and overt and covert interception — all at an affordable cost and without performance compromise.
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
The crucial first step in privacy and data protection regulatory compliance is to understand what constitutes sensitive data, where it is stored, and how it is used. If you don't know what sensitive data you have, where it is, and why you have it, you cannot apply effective...
More and more cloud-based services are becoming an integral part of the enterprise, as they lower costs and management overhead while increasing flexibility. Cloud-based authentication services, especially when part of a broader access management service, are no exception, and...
Authentication solutions need to be frictionless. Adopting methods with a higher Authentication Assurance Level and Stronger authentication, can effectively reduce the risk of attacks. Explore authentication technologies to learn: • Selecting authentication methods • Analysis...
Enterprise digital transformation and increasingly sophisticated IT security threats have resulted in a progressively more dangerous environment for enterprises with sensitive data, even as compliance and regulatory requirements for sensitive data protection rise. With attacks...
Safeguarding sensitive data requires much more than just securing a data center’s on-premises databases and files. The typical enterprise today uses three or more IaaS or PaaS providers, along with fifty or more SaaS applications, big data environments, container technologies,...
Networks are under constant attack and sensitive assets continue to be exposed. More than ever, leveraging encryption is a vital mandate for addressing threats to data as it crosses networks. Thales High Speed Encryption solutions provide customers with a single platform to ...
Traditionally organizations have focused IT security primarily on perimeter defense, building walls to block external threats from entering the network. However, with today’s proliferation of data, evolving global and regional privacy regulations, growth of cloud adoption, and...
You’ve been tasked with setting and implementing an enterprise wide encryption strategy, one that will be used to guide and align each Line of Business, Application Owner, Database Administrator and Developer toward achieving the goals and security requirements that you define...
Business critical data is flowing everywhere. The boundaries are long gone. As an enterprise-wide data security expert, you are being asked to protect your organization’s valuable assets by setting and implementing an enterprise-wide encryption strategy. IT security teams are...