South Africa’s POPIA compliance through Zoho’s ISO 27701

This blog is an attempt to showcase the interwoven aspects of the ISO 27701 (Privacy Information Management System – PIMS) that Zoho is certified with, with the requirements of the South Africa’s Protection of Personal Information Act (POPIA), and to bring to the reader’s understanding how Zoho’s compliance with the POPIA is integrated with the PIMS program.

Note:
  • This blog is just an attempt to map the ISO 27701 with the Zoho’s POPIA Compliance Program and should not be construed as legal advice. This blog does not capture the minuscule details of the compliance but is to be read and understood as  a summary of the programs.
  • The terms PII, Personal Information and Personal Data are used interchangeably in this blog though there are definitive variations between each.
  • PII Controller, PII Processor and PII Principal are equivalent to those as defined in the POPIA as Responsible Party, Operator and Data Subject respectively. These terms may be used interchangeably in this blog but they carry the same definition.

ISO 27701 applies to both PII Controllers(Responsible Party) and PII Processors(Operator). Learn more about Zoho’s compliance with the ISO 27701, its scope and applicability.

 Here’s an alignment layout of the major sections of the POPIA with the PIMS.


Chapter 2 – Application Provisions

Section 4 – Lawful processing of personal information

Clause 7.2.2 of the PIMS requires the identification & documentation of the lawful basis of processing. Zoho has documented its processing activities along with the lawful basis for those activities.

Section 5 – Rights of data subjects

(1) – Clauses 7.3 and 8.3 of the PIMS covers the aspects of honouring and catering to the rights of data subjects in the role of PII Controller and PII Processor.

 

Chapter 3 – Processing of personal information in general

Part A – Processing of personal information in general

Section 8 – Responsible party to ensure conditions for lawful processing, Section 9 Lawfulness of processing, Section 11(i)(a) to 11(i)(f) – Consent, justification and objection

Clause 7.2.2 of the PIMS requires the identification & documentation of the lawful basis of processing. Zoho has documented its activities and the corresponding lawful basis for the activities identified.

 

Section 10 – Minimality

Clauses 7.4, 8.4 of the PIMS provides implementation guidelines on privacy by design and privacy by default where in Data Minimisation Objectives are defined, documented and measured for efficient implementation.

Zoho has defined Data Minimisation Objectives and has been incorporated into its processes and is validated consistently to ensure compliance with this principle.

 

Section 11 – Consent, justification and objection

Clauses 7.2.4 of the PIMs provides implementation guidance on obtaining and recording consent. Clauses 7.3.4, 7.3.5 requires provision of mechanisms to modify, withdraw consent, and to object to PII processing in the capacity of a PII Controller.

Clause 8.3.1 requires that PII Processor enable PII Controllers to fulfil their obligations to their PII principals in these aspects.

Zoho is committed to help its users by providing abilities in the product and/or through customer support services to enable them fulfil their obligations.

 

Section 13 – Collection for specific purpose

Clause 7.2.1 of the PIMS requires identification and documentation of purpose, while 7.4.1 requires limiting the collection of personal information in the capacity of a PII Controller.

Clause 8.2.1 requires PII Controllers to ensure this through written agreements with PII Processors.

This is captured as an objective in Zoho’s Data Minimisation Objective documentation.

 

Section 14 – Retention and restriction of records

Clauses 7.3.6, 7.4.7, 7.4.8 of the PIMS sets requirements for PII Controllers regarding access, correction and/or erasure, return, disposal of personal information.

Clause 8.4.2 requires PII Processes to return, transfer or disposal of PII once there is no requirement to hold or process that information.

Zoho has defined retention periods and documented processes on disposal of data.

 

Section 16 – Quality of information

Clause 7.4.3 requires that data accuracy and quality is to be maintained throughout its lifecycle.

Clause 8.3.1 requires PII Processors to enable PII Controllers to perform the same.

Zoho has defined processes to ensure that data is kept accurate, and provides the abilities to its users to cater to this requirement through its products and services.

 

Section 17 – Documentation

Clause 7.2.8 of the PIMS requires to maintain records related to processing PII in the organisation’s capacity of a PII Controller.

Similar requirements are laid out in Clause 8.2.6 for a PII Processor.

Zoho maintains documentation of the processing operations performed by it.

 

Section 18 – Notification to data subject when collecting personal information

Clauses 7.3.2 and 7.3.2 of the PIMS requires determining and provision of the information to be provided to the PII principals.

Clause 8.3.1 provides implementation requirements for PII Processors to enable PII Controllers to fulfil their obligations towards their PII principals.

Zoho has determined the information to be provided and made it available via its privacy policy, help documents, FAQ and in-contextual help cards, pop ups.

 

Section 19 – Security measures on integrity and confidentiality of personal information

All applicable controls under the ISMS and PIMS provide the structural framework and the implementation of the policies of the systems enable the security of processing. These include technical and organisation measures such as HR, Physical security, IT Security, Awareness and Training, Logging and Monitoring, Encryption, Media Handling, Data Classification, User Access Management, Risk Management, Disaster Recovery, Business Continuity Plan, Capacity Management, Remote Working and the like.

 

Section 20 – Information processed by operator or person acting under authority

Clause 8.2.2 of the PIMS requires PII Processors to process personal information only on the instructions of the PII Controller.

Zoho enables its users to sign agreements to provide guarantees on the same.

 

Section 21 – Security measures regarding information processed by operator

Clause 8.2.1 of the PIMS requires PII Processors to have in place adequate security measures while processing personal information which are incorporated as part of agreements with PII Controllers.

Zoho has adopted measures to ensure the security of the data that it processes. More information on this is available here.

 

Section 22 – Notification of security compromises

Control 6.13 requires to have an information security management process in place.

PII Controllers can require PII Processors to notify them of security incidents even through written agreements as provided for in Clause 8.2.1.

 

Section 23 – Access to personal information

Clauses 7.3.6, 7.3.8 of the PIMS requires PII Controllers to have in place written processes to fulfil requests for access to personal information of PII Principals.

Clause 8.3.1 requires PII Processors to enable PII Controller to fulfil the obligation towards their PII Principals.

Zoho has written processes to handle such requests and enables its users to fulfil their obligations in turn through product features and services.

 

Section 24 – Correction of personal information

Clauses 7.3.6, 7.3.8 of the PIMS requires PII Controllers to have in place written processes to fulfil requests for correction of personal information of PII Principals.

Clause 8.3.1 requires PII Processors to enable PII Controller to fulfil the obligation towards their PII Principals.

Zoho has written processes to handle such requests and enables its users to fulfil their obligations in turn through product features and services.

 

Part B – Processing of special personal information

Section 27 – General authorisation concerning special personal information

Clauses 7.2.2 to 7.2.4 of the PIMS provides additional guidance on the processing of data belonging to special categories(also referred to as, ‘special personal information’ in the POPIA).

 

Part C – Processing of personal information of children

Section 35 –  General authorisation concerning personal information of children

Control 7.2.3 of the PIMS provides implementation guidance on obtaining consent and processing information from children.

 

Chapter 5 – Supervision

Section 55 – Duties and responsibilities of Information Officer

Controls 6.3.1.1, 7.3.1 of the PIMS lay the requirements to have a dedicated person or team to manage the compliance program and provides guidance on roles and responsibilities of such persons(s).

Zoho is in the process of registering the Information Officer with the Regulator as required by the POPIA.

 

Chapter 8 – Rights of Data Subjects Regarding Direct Marketing by Means of Unsolicited Electronic Communications, Directories and Automated Decision Making

Section 69 – Direct marketing by means of unsolicited electronic communications

Clauses 7.2.2, 7.2.3 of the PIMS requires the identification & documentation of the lawful basis of processing. Requirements for obtaining and managing consent are identified and documented.

Zoho has evaluated the consent requirements, documented its applicability and its processes have been designed to cater to these requirements.

 

Section 71 – Automated decision making

Clause 7.3.10 of the PIMS lays down requirements to be adhered to if automated decisions are taken by the organisation.

 

Chapter 9 – Transborder Information Flows

Section 72 – Transfers of personal information outside Republic

Controls under 7.5 and 8.5 of the PIMS lays down the guidance to be adhered to during transfers to other parties including identifying the countries of transfers, provision of information to customers, purposes, records of transfers and disclosures. Points 1(b), 1(c) and 1(d) of the POPIA are the most possible basis for transferring information in the context of data transfers by the organisation.


As mentioned at the beginning, this blog does not aim to provide all the details of the compliance program. You may reach out to privacy@zohocorp.com if you need further information on compliance with specific obligations. Do read our FAQ to find answers to some of your questions!

 

Related Posts