Set to be introduced in 2020, South Africa’s Protection of Personal Information (POPI) Act will have far-reaching implications for organisations across industries. With digitisation on the rise, websites will be firmly in the spotlight in terms of POPI Act compliance. Here’s a look at how to remain within the law.
What is the POPI Act?
This is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR) which outlines conditions for parties to lawfully process personal information. The POPI Act (or Popia) will protect data from theft and discrimination by implementing conditions for the lawful processing of personal data.
What are the POPI Act’s eight conditions of compliance?
The Act sets out eight clear conditions that companies must comply with when processing personal information data. These include:
- Accountability – All companies must be responsible and must comply with the Act.
- Processing limitation – All processing and capturing of private information must be justified, and there are limits set regarding what and how much information is processed.
- Purpose specification – Data captured must be for a justifiable reason and not be kept for longer than necessary.
- Further processing limitation – The further use of information collected must be connected to the original purpose for collection.
- Information quality – The information collected must be correct, up-to-date and factual.
- Openness – Notification must be sent to the party whose information is being captured.
- Security safeguards – The data must be identified and kept securely.
- Data subject participation – The individual can request the data on them, as well as the permanent deleting of that data.
Websites, cookies and the POPI Act
The Act will impact what information can be collected when visiting a website and what users should know. Pivotal to this is website cookies which track user movements on websites.
What does the cookie do?
The website cookie is created when you use a browser to visit any website. What the cookie effectively does is track all your movements on the website – so that you can immediately pick up where you left off – as well as retaining information such as login details, preferences and any other customisable information. When visiting a site regularly, some users prefer not to re-enter login details every time, which is where cookies are helpful. On a retail website, users might place items in a shopping cart but not want to purchase them at that time. The cookie will allow the site to retain this information for the next time you login.
Cookies come in different types
There are several different types of cookies with different functionalities. These are:
- The session / transient cookie – This particular cookie is stored in a temporary memory and will be erased as soon as you close a particular website. Information stored in this cookie will be merely session identification, not personalised details.
- The persistent / permanent /stored cookie – These cookies collect user information, such as site preferences and login details, which will be stored in the hard drive until you delete them, or until the cookie expires.
- Third-party cookies – Commonly used by advertisers, these cookies collect information for research use in online behaviour, demographics and spending.
- Flash / super cookies – These are separate from a web browser and are designed to be permanently stored on a computer, even when other cookies have been deleted.
- Zombie cookies – These are a form of flash cookie that is recreated once deleted, making them difficult to detect. They are often used in online games to prevent cheating.
The trouble with cookies
A cookie itself is not malicious as it can’t transfer viruses or malware, however, certain viruses and malware can be disguised as cookies and cause damage. These malicious cookies can track online activity, building a user profile and then sold to advertising companies.
How cookies are involved
What is the penalty?
Cybersecurity and the POPI Act
- Network firewalls
- Disk encryption for all hard drives
- Antivirus and anti-phishing software
- Strong password protection
- Strict company policy on cybersecurity
It’s also important to note that, in the event that a company outsources its IT operations to another party, the original company still remains responsible for keeping the data safe. This means companies must ensure they are partnering with a reputable IT company, and that all correct access management, policies and controls are in place.
Risks of non-compliance
If an organisation does not comply with the Act, they will suffer from detrimental results, including reputational damage, massive fines, and even prison time for executives. Companies could also be held financially responsible in terms of damages paid to data subjects.
Although the POPI Act is not yet in effect, it’s best to err on the right side of the law by implementing necessary measures now to ensure website users are fully briefed on cookie use before entering a site. From a business perspective as well, customers are more likely to remain loyal to organisations that are transparent about their practices, so it makes good business sense to implement such precautionary measures early on.