POPIA Compliance – Have you thought about your email?

March 9, 2021 by Rian Schoeman

POPI compliance will be mandatory from 1 July 2021. ZixMail can help organisations prevent costly data leaks by blocking certain emails from leaving the organisation.

By now every South African company is aware of the looming POPIA compliance date of 1 July 2021 and no doubt, many companies have found themselves asking what they can do to comply. Even though POPIA has only 8 principles, to comply with all 8 actually takes a lot of time and effort.

Because of this, people naturally turn to solutions that could possibly assist them with compliance. This is a good move, but every company should beware that technology cannot replace having proper processes and practices in place and more importantly that there is no single solution that will make you POPIA compliant, no matter what vendors claim.

One of the biggest tasks that any company will face is to map how personal information enters, travels and exits their business. Once they have conducted that exercise, they will inevitably come to the conclusion that one of the largest vulnerabilities in any business is email. Email is very difficult to control and is also one of the major sources of unsolicited personal information leaving a business, if not the largest one.

Think about it, today email is the number one communication method in most businesses. It is still the most convenient way to communicate, especially if you want some kind of record of the discussion and if you want to share smaller documents. Despite chat and messaging apps becoming more commonplace they are still not ideal for transmitting confidential documents, especially in a business context.

How easy is it to enter the wrong name in an email message? Outlook automatically brings up options when you type the first few letters and before you know it you may have shared an entire customer database with the wrong person!

Now, what about email being sent legitimately but still containing personal information? Not everyone is aware that email travels in clear text, which means that the contents is visible to anyone who intercepts that email. Still fewer people understand that email is not point to point. In other words, if I send you an email, it does not go straight to your inbox. Instead, a single email can travel through countless servers, some of them even outside the Republic of South Africa and you as the sender will have no control over that.

It is therefore clear that, from an accountability standpoint, as well as from a security safeguards perspective (2 of the POPIA principles) that every business will have to do something to protect and secure email transmission.

This is one of those areas where a software solution can assist with some of the aspects of POPIA compliance. Zix mail is one such product. It is a simple way of encrypting emails between the sender and the receiver, which means that even if the email is intercepted, the data cannot be extracted.

It is a very versatile and useful tool that can be configured in a number of ways to address a large variety of risks associated with email. Among other things, it has the ability to:

  • Block emails containing certain personal information
  • Warn an administrator that such an email is about to be sent, allowing her to decide whether or not to release the email
  • Encrypt certain emails by default
  • Warn someone that an email they are about to send contains personal information.
  • Encrypt the email end to end
  • Encrypt attachments to email

The screen shot below represents a real-life example of someone trying to send out an email where an ID number was typed in the subject line. The email was held back and the sender was encouraged to change the subject line before sending out the email. This prevented an ID number from being shared in clear text, possibly in violation of POPIA.

While there are many more examples, this should illustrate the value a product like ZixMail can bring to a company. You can have granular control over emails through rules based on lexicons or dictionaries that will look for certain words or phrases and perform actions based on those rules.

As the sole distributor of Zix in South Africa, LAWtrust has developed a custom POPIA dictionary, based on the definitions of personal information under POPIA. In addition, Zix comes standard with other dictionaries such GDPR and PCI-DSS, allowing for a wide range of controls in a number of fields.

Any company trying to comply with POPIA will know how hard it is and how much work is involved. Having a solution such as Zix in your arsenal can help show that your company is serious about POPIA compliance and can assist in bringing the chaos that is email, under control.

- Rian Schoeman (Chief Privacy Officer - LAWtrust)