compliance

Magnitude taking the necessary steps to comply with POPIA and GDPR. 

POPIA protocols Statement - January 2021

GoMobile is on track with POPIA

GoMobile Pty Limited 2012/133150/07 [GoM] owns, develops and delivers the Magnitude service and is in process to align its operations with the protocols required by the POPIA.

While POPIA is a law specific to the Republic of South Africa, it is very similar in both intention and content to the European GDPR. Both laws address the privacy rights granted to individuals and require companies that process the personal data of individuals to comply with regulations. In particular, the GDPR requires that even companies that do not have a presence in the EU but target the EU market or monitor the behaviour of EU citizens, be in compliance.

An interesting difference between POPIA and GDPR is that POPIA includes in its definition of data-subjects a juristic person; not only a living person. GDPR is focused only on living persons.

POPIA (and GDPR) is designed to strengthen the security and protection of personal data, as well as provide businesses with a structured framework on how to collect, process, use, and share personal data. The concept of ‘personal data’ is broad and covers almost any information relating to a specific individual.

Responsible Parties & Operators [GDPR: Controllers & Processors]

POPIA defines and distinguishes between two types of parties and responsibilities when it comes to collecting and processing personal data: Responsible Parties and Operators (the GDPR definition for these same roles is, respectively, Data Controllers and Data Processors). A responsible party determines the purposes and ways that personal data is processed, while an operator is a party that processes data on behalf of the responsible party. The responsible party can be any company or organization and an operator can be a SaaS, IT, or other company that is processing the data on behalf of the responsible party. GoM is an operator [processor]. GoM customers are Responsible Parties [Data Controllers]. The responsible party is responsible to make sure that all operators with whom it deals are POPIA compliant and the operators themselves must keep records of their processing activities.

Current actions

The new regulations have substantially raised the standard and general awareness on matters of data protection, security, and compliance. We are committed to the ongoing work of assisting our customers to be compliant with the POPIA while using GoM as an operator.

In a coordinated effort between our development, product and compliance teams we are in project to ensure that both our platform (service) and legal terms are in line with the POPIA. We are in process of specifically attending to:

• Security infrastructure and practices, data encryption in transit and at rest, backup, logs and security alerts.

• Risk assessments and data-mapping processes to ensure that data stored or processed is managed according to regulations.

• Adjustment of contractual terms in order to perform our role as an operator for our customers while complying with the POPIA

o This includes a data processing agreement (DPA).

• Internal-focused procedures, controls and recurring training programme for our team.

• Assessment of our sub-operators to ensure their compliance.

• Appointment of an Information Officer [GDPR: Data Protection Officer].

• Development of product features to enable the organisation to deal with data deletion:

o An administrator can delete users’ personal data from the system [username, phone, email, picture, address, title, social networks references, and other customer fields if provided]

Data storage

POPIA allows a business to store / process data outside of SA [GDPR, the EU] provided that the operator / processor adheres to the necessary regulations and protections. At GoM we utilise the services of Microsoft Azure, which has processing / storage sites globally, including inside of both SA and the EU. Azure is POPIA [and GDPR] compliant.