Protection of Personal Information Act 4 of 2013 — Cybersecurity Obligations (POPIA)

South Africa's Protection of Personal Information Act 4 of 2013 (POPIA), fully effective from July 1, 2021, establishes data protection and cybersecurity obligations for all organizations processing personal information in South Africa. POPIA's cybersecurity provisions require responsible parties to implement appropriate, reasonable technical and organizational measures to prevent loss, damage, or unauthorized destruction of personal information, and unlawful access to or processing of personal information. The Act requires responsible parties to: implement security safeguards; identify and document all reasonably foreseeable risks; establish and maintain appropriate safeguards against identified risks; regularly verify that safeguards are effectively implemented; and ensure that safeguards are continually updated in response to new risks. The Information Regulator must be notified of security compromises within a reasonable time, and affected data subjects must be notified as soon as reasonably possible. The Information Regulator can impose fines of up to ZAR 10 million and imprisonment of up to 10 years for serious violations.