Why you need to start taking data protection seriously - and how ESET can help

What is POPIA?

Are you POPIA-compliant?

As of 1 December 2016, the Information Regulator has been established by the Protection of Personal Information Act (POPIA). POPIA gives the Information Regulator considerable authority – it has extensive powers to investigate and fine responsible parties.

POPIA applies to almost all organisations across every industry and sector of society, and the consequences for non-compliance are significant (fines up to R10 million or jail sentence up to 10 years). If it affects you, you will need to start to thinking about compliance now. This site is designed to help you understand the POPI Act, quantify the requirements, and offer solutions.

calendar due date GDPR

Get your free guide

ESET Southern Africa and privacy experts Michalsons, have produced this guide to examine how the new POPI Act will affect you.

guide general data protection regulation

Online compliance check

This site is designed to help you understand the GDPR, quantify the requirements, and offer solutions.

Complying with the POPI Act, step by step

The implications of the POPI Act are complex, so we have broken down the compliance process into three groups of measures that you should consider, subdivided into various areas of more detailed explanation. Just click on the bars in the diagram below to examine these areas at your convenience.

+In summary

The Protection of Personal Information Act (POPIA) stipulates that organisations must take ‘appropriate, reasonable technical and organisational steps to prevent personal information from being lost, damaged or destroyed, or unlawfully accessed or processed’.

While the POPI Act does not define ‘appropriate, reasonable’ steps, it does mention that international standards and guidelines relevant to protecting privacy should be used. It is therefore necessary to oonsider the guidelines and precedents set by international data protection legislation such as the Data Protection Act (DPA) of the United Kingdom (UK) and the more recent General Data Protection Regulation (GDPR) of the European Union (EU) that are more prescriptive.

From these International Guidelines, we have determined some specific areas of action to help move you towards achieving compliance with POPIA. A compliance exercise should be outcomes-based and not a tick box exercise.

– Comply with the law following a risk-based approach and by doing what is reasonably practicable.

– Be able to demonstrate what you did to comply.

– Build trust with your stakeholders

– Minimise the risks of non-compliance.

+Organisational Structure

Under POPIA, organsations are required to have a data governance strategy in order to ensure that they reduce the risk of being non-compliant to POPIA which will demonstrate that it takes data governance seriously. Measures that prove that organisations are serious about accountability include amongst others:

Accountability for processing of personal information is held by the Responsible Party and to a lesser extent, the Operator. The responsible party is a public or private body, or any other person which alone, or in conjunction with others decides how and why personal information is being processed, and bears the bulk of the responsibility for complying with POPIA.

The Operator relates to cases where the processing of information has been outsourced to a third party that does not fall under the direct authority of the responsible party. In cases where there is an operator, the responsible party is held accountable for the actions of the operator and they must follow the instructions of the responsible party.

An Information Officer is already a legal requirement for organisations in terms of the Promotion of Access to Information Act (PAIA), however it has become significantly more onerous and complicated under POPIA. The information officer is the head of the organisation as a private body[1] by law, namely the CEO, but this role can (and should) be delegated someone else.

The Information Office is responsible for (amongst other things):

– Encouraging their organisation to comply with POPI’s conditions for lawfully processing personal information

– Handling any requests to their organisation in terms of POPI

– Complying with the Information Regulator in any investigations regarding prior authorisation

– Making sure that their organisation complies with POPI (the information officer’s most onerous responsibility)

– Any other responsibilities that the law may impose.

The information officer holds the most important job of all and risks being held personally responsible if the organisation does not comply with POPIA. It is therefore essential that they get all the possible support and assistance from an organisation in achieving the goal of POPIA compliance.


A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimise non-compliance risks.

A privacy impact assessment is recommended in the context of POPIA, and responsible parties must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.

+Procedural Issues and Awareness

Awareness is the first step for any organisation to take in complying to POPIA. Executive level awareness is imperative as this will filter down to staff that are responsible for processing personal information.

Obligations – The Information Regulator will require that all employees of the organisation who handle and process personally identifiable information are aware of their responsibilities under the act.

Liabilities – The Information Regulator will expect that all employees of the organisation who handle and process personally identifiable information are aware of the civil and criminal liabilities of the act both at an at executive as well as personal level.

Rights – It is important that the organisation adopt a rights driven approach to clients, suppliers and employees. This approach can manifest in a company vision statement.

A Privacy Impact Assessment should be considered at least annually to benchmark the organisation’s compliance posture to POPIA and how the organisation has progressed from previous reviews to meet the required compliance mandates.

Defining a response process to a data privacy breach will allow for the organisation to handle any significant fallout from the breach, most notably to affected data subjects as well as to key business stakeholders. The process will define a notification and impact.

Data classification procedures will ease the burden on the organisation when it relates managing access to information for approved handlers. Additionally, security controls for the data can be proportional with the classification and will allow for a more granular data handling procedures when processing personal information.

The organisation should have defined policies and/or procedures in place that address the requirements to compliance to the principles in the POPI Act.

Regular review of defined data protection policies and procedures will ensure that the organisation maintains a compliance posture that is acceptable to the organisation’s auditors and the Information Regulator.

The organisation should have defined policies and/or procedures in place that address the regular review of data protection of collected personally identifiable information.

+Technical Considerations

POPIA has an expectation that responsible parties and operators understand that they have both a personal as well as professional responsibility for demonstrating compliance the data protection principles outlined in POPIA.

Organisations will need to ensure that the previously defined organisational policies are in place to enforce required standards by regularly monitoring, reviewing and assessing its data processing procedures. Additionally, there will be a requirement to build in safeguards by ensuring staff are trained to understand their obligations, and if required to by the Information Regulator, be ready to demonstrate this understanding.

+Accountability – Training and Awareness

The organisation should ensure that data controllers are suitability trained as to their responsibilities relating to protection of personal information and new employees should be informed as to the requirements for data protection at the organisation.

Furthermore, employees need to be aware of whom to consult when it pertains to concerns about data protection at the organisation, which in most instances would either be their direct line manager or the companies Information Officer.

Finally, the organisation should communicate to employees that policies state that unauthorised access to information is strictly controlled and prohibited.

+Data Breach

Should the organisation suffer a data security breach there needs to be suitably defined incident management procedures that will facilitate a collection, analysis and decision on response to the breach should it occur. Breach notifications to the Information Regulator and more importantly an affected data subject form part of an incident response and should be handled efficiently by the Information Officer.

Not reporting a breach is a further contravention of the POPI Act and could lead to stiffer sanctions should a company choose to not notify the Information Regulator or an affected data subject.

+Data Subject Rights

POPI affords data subjects the right to ensure their personal information is processed in a legitimate and appropriate manner with consent being at the forefront of processing limitations. Hence an organisation should clearly define the purpose for which personal information is collected and processed.

Define data subject access request procedures that facilitate a clear communication path between the responsible party (Your organisation) and the data subject (rights holder) to ensure that any information that is held on the data subject can be clearly articulated to the data subject when requested by them.

It has become commonplace for organisations to use technology to automate the profiling of data to analyse and predict what products or services might be relevant to a customer

Using such automated systems for processing of the  personal information must always protect the rights of the data subject.

Any data subject’s information that is processed outside of South African borders needs to be done in a region that has an equivalent or better data protection regulation. For example, countries in the EU are subject to the GDPR regulations.

Data subjects need to consent to have their data transferred across borders so an explicit consent notice needs to be drafted and agreed upon by the data subject. This will ensure a responsible party is adhering to data portability requirements in POPI.


POPI requires that responsible parties collect explicit consent for data processing. This is done by a data subject reading and agreeing to fair processing notices and the company’s privacy policy.

Under POPI, an organisation should be able to identify the business reasons for collecting and processing personally identifiable and special personal information. Special personal information has more stringent control requirements than personally identifiable information. Examples of special information are religion, race, demographic and biometric data.

+Information Security (Data Level Measures)

Secure, reasonable and appropriate controls need to be defined and adopted when handling personal information of a data subject. The POPI Act implies that a pragmatic approach be taken when assessing how to comply.

The recommended approach is to assess the most significant risks posed to the information that is being processed and address those in order of severity. POPIA equally allows for a subjective consideration of the resources available to the organisation – a small business could not be expected to implement the same measures as a large enterprise.

The goal is to achieve a state of compliance that is justifiable relative to the rights of the data subject, feasible for the responsible party and consistent with the reasonable and appropriate guidelines of international privacy law.


You should document what personal data you hold, where it came from and with whom you share it.

An organisation should enter into a data classification exercise to define the various types of information it holds on data subjects. This will ensure that under POPI they can examine how they process personal data and identify the security controls to apply to the data i.e. Encryption

Good practice would dictate that organisations will have a monitoring system in place for when records containing personally identifiable information are accessed by authorised employees. An access control system that reports who has access to which information and when they have accessed that information will provide a forensic capability that can be used as a legal evidence in the cases of an investigation.

The access control mechanism will also retain information on consent and have a record of legal consent being given by the data subject for processing of personal data.

The information presented on this webpage does not constitute a legal opinion, and users should not rely on its accuracy when making financial or business decisions. ESET Southern Africa will not be liable for outcomes resulting from such actions. Always seek independent legal advice.

Join our POPI webinar

Talk to our experts about how the new General Data Protection Regulation will affect your business. ESET is hosting webinars to explain the issues around the GDPR. These webinars are free to attend: just sign up below and we’ll invite you to the next event.

Encryption as a Solution

What is encryption?

Encryption is the process of encoding information in a way that prevents unauthorised parties from being able to read it.

Key length and encryption strength

Encryption strength is most commonly equated to key length (bits) and the encryption algorithm used. The simplest way to defeat encryption is to try all the possible keys. This is known as a brute-force attack, but longer keys have made this approach ineffective.

To brute force a 128-bit AES key, every one of the roughly 7 billion people on Earth would have to check 1 billion keys a second for around 1.5 trillion years to test every key.

So attackers do not typically try to reverse-engineer the algorithm or brute force the key. Instead, they look for vulnerabilities in the encryption software, or attempt infect the system with malware to capture passwords or the key as they are processed.

To minimise these risks, you should use an independently validated encryption product and run an advanced, up-to-date anti-malware solution.

How does it work?

Encryption is applied, most commonly, in two different ways:

Encrypted storage – often referred to as ‘data at rest’ – is most commonly used to encrypt an entire disk, drive or device.

This type of encryption becomes effective only once the system is stopped, the drive ejected or the encryption key blocked.

Encrypted content also referred to as granular encryption – means, typically, encrypting files or text at the application level.

The most common example is email encryption, where the message format must remain intact for the email client application to be able to handle it, but the text body of the email is encrypted along with any attachments.

eset data encryption example

What do I need from encryption?

While key length and the range of software features are important, they do not tell you how well a product will perform from the user’s point of view – or from the administrator’s.

FIPS - 140 Validation

The most widely accepted independent validation is the FIPS-140 standard. If a product is validated to FIPS-140 then it is already more secure than most situations demand and will be acceptable under the GDPR and other regulations.

Ease of use for non-technical users

There will always be situations where your employees will need to decide whether or not to encrypt a document, email, etc. It is vital that they are able to use the software provided and can be confident that encrypting data will not lock them – or authorised recipients – out.

Remote management of keys, settings and security policy

To avoid staff having to make security decisions, encryption can be enforced everywhere – but this tends to restrict legitimate business processes and can stifle productivity. The inclusion of a remote management capability – one that allows changing of encryption keys, functionality or security policy settings for remote users, who typically represent the biggest security issue – means that the default settings for enforced encryption and security policy can be set higher without limiting normal processes elsewhere in the business.

Management of Encryption Keys

One of the biggest usability challenges is how users are expected to share encrypted information. There are two traditional methods:
Shared passwords, which suffer from being easy-to-remember-and-insecure or impossible-to-remember-and-secure-but-written-down-or-forgotten, or;
Public-key encryption, which works well across smaller workgroups with no or low staff turnover, but becomes complex and problematic with larger or more dynamic teams.
Using centrally-managed, shared encryption keys avoids these problems, with the added bonus of mirroring the way that physical keys are used to lock our houses, apartments, cars, etc. Staff already understand this concept, and it only needs explaining once. Coupled with a premium remote-management system, shared encryption keys strike the optimum balance of security and practicality.

Try ESET DESlock+ for free

While key length and the range of software features are important, they do not tell you how well a product will perform from the user's point of view - or from the administrator's.

How ESET can Help

Our solution:
DESlock Encryption by ESET

Encrypting the personal data in your systems can help satisfy many requirements of the POPI Act. ESET’s solution is powerful, simple to deploy, and can safely encrypt hard drives, removable media, files and email.

DESlock Encryption allows you to meet data security obligations by easily enforcing encryption policies while keeping productivity high. With low help-desk overhead and short deployment cycles, no other product can match DESlock for flexibility and ease of use.

The client side requires minimal user interaction, improving compliance and the security of your company data from a single MSI package. The server side makes it easy to manage users’ and workstations and extend protection of your company beyond your corporate network.

What DESlock Encryption offers

Simple and powerful encryption for organizations of all sizes safely encrypts files on hard drives, portable devices and sent via email

Certification: FIPS 140-2 Validated 256 bit AES encryption for assured security

Hybrid-cloud based management server for full remote control of endpoint encryption keys and security policy

Support for Microsoft® Windows® 10, 8, 8.1 including UEFI and GPT, 7, Vista, XP SP 3; Microsoft Windows Server 2003-2012; Apple iOS

Algorithms & standards: AES 256 bit, AES 128 bit, SHA 256 bit, SHA1 160 bit, RSA 1024 bit, Triple DES 112 bit, Blowfish 128 bit

DESlock+ Pro – The benefits in detail

Full disk encryption
Fast and transparent pre-boot security

Removable media encryption
Policy-driven removable media encryption suitable for any corporate security policy

Outlook plugin for email & attachments
Easily send and receive encrypted emails and attachments through Outlook

Virtual disks & encrypted archives
Create a secure, encrypted volume on your PC or in another location or an encrypted copy of an entire directory tree and its files

File & folder encryption
Fast and transparent, provides an extra layer of security

Text & clipboard encryption
Encrypt all or part of a text window – web-browsers, database memo-fields or web-mail

Centralised management compatible
Full control of licensing and software features, security policy and encryption keys.

DESlock+ Go portable encryption
Easy to use on-device software for deployment on unlicensed systems

Try ESET DESlock+ for free

Just fill in your details and we'll set up a trial, so that you can experience the benefits of encryption by ESET

We use cookies to ensure you get the best experience on our website. More info.