Email compliance For POPIA – South Africa

POPIA is an essential law in South Africa. It protects users’ rights to access and correct their personal information. Companies’ privacy rights are necessary. Individual privacy rights are also important. Privacy laws should include penalties, but fines aren’t enough. Regulators need more resources to enforce the law.

Most people aren’t aware that emails travel in clear text, meaning that the contents of the email are visible to anyone who sniffs out that email. Fewer people understand that email is more than just a way to send messages from one person to another. Outlook automatically brings up options when typing the first few letters, and before you know it, you may have shared a robust customer database with the wrong contact.

If I send you an email, it doesn’t go straight to your inbox but goes into your spam folder. Instead, one email travels through countless servers, some outside the Republic of South Africa, and you, as the sender, have no control over that, but you can be sure that it will reach its destination.

As a result, people often turn to solutions that might help them comply with the law. It’s a good idea, but every company should know technology alone won’t make them POPIA compliant.


The POPIA Act Will Affect Almost All Businesses In South Africa.

The POPIA applies to every type of company, regardless of size, sector, or location, so long as it is:

  • Based in South Africa.
  • Based outside of South Africa, but processes personal information within South Africa.
  • That means that non-South African companies doing business in South Africa should comply with the POPIA, whether they have any physical presence in the country.

Who Does POPIA Affect?

POPIA affects all organizations that store, collect or process personal information and are required to comply.

Personal Information means any information relating to an identifiable, living natural person or juristic person (companies, credit cards, etc.) and includes, but is not limited to:

  • Contact details: email, telephone, address, etc.
  • Name of the person if it appears with other information relating to the person
  • Types of demographic information: age, sex, race, birth date, pregnancy, marital status, ethnicity, disability, religion, sexual orientation, language, etc.
  • History: employment, financial, education, criminal, medical history
  • Biometric information: blood type, etc.
  • Correspondence sent by the person who is implicitly or explicitly private or further correspondence that would reveal the contents of the original mail;

One of the biggest challenges that any company faces is to map how personal data enters, travels, and leaves its business. After conducting that exercise, they will eventually conclude that the most significant vulnerability in any business is email and that they need to take action. Emails are complicated to control and are also one of the most effective sources of unwanted personal information leaving a business.

All South African companies are fully aware of POPIA compliance. Even though POPIA only has eight principles, complying with all 8 of them requires a lot of time, cost, and energy.

POPIA security safeguards include components every business needs to ensure for compliance, including:

  • The capability of releasing the email
  • Encrypt certain emails by default
  • Warn someone that an email they are about to send contains personal information.
  • Encrypt the email end to end
  • Encrypt attachments to an email

Email Encryption And POPIA


Does complying with the Protecting Personal Information Act (POPIA) also mean companies must use email encryption when sending personal information emails? Does sending unencrypted emails containing confidential information violate POPIA? The short answer is: that it depends on several factors. One of those factors is the nature of the personal information in the unencrypted email you’re sending. Is the personal information of such a nature that data subjects could suffer adverse harm if they hack the emails? Notably, while the answer under POPIA depends on several factors, policies like the Minimum Information Security Standards (MISS) have more explicit requirements for both public and private bodies transmitting important government information.

Data Immutability VS. Compliance


Complying with POPIA requires such protections and gives individuals the right to request corrections and deletions. The problem is that archiving setups offered on dominant email platforms may not handle immutability and compliance.

Some of these archives rely on retention locks or litigation holds, which last a set period. Only after the lock expires can they make a change, which is less responsive to requests than the law may require.

A supported archive setup can be enabled by an email security provider such as Trustifi.

Role of Data Loss Prevention In POPIA Compliance


Data Loss Prevention solves three significant objectives that apply to most organizations. 

  • First, is the organization collecting and storing confidential information? 
  • Second, does the organization have the process and capability to remove the client’s data upon request to meet the various privacy mandates? 
  • Third, does the organization have a secure access policy to enable multi-factor authentication based on user actions? 

DLP solutions can classify intellectual property in both unstructured and structured forms. They can set policies and controls to prevent unauthorized access. Data visibility helps organizations gain insight into how individuals interact with data. DLP can remediate various security challenges, including insider threats, office 365 data security, and user behavior.

  • Data breaches cause damage to the brand, regulatory violations, and loss of trust with customers.
  • Data Loss Prevention solutions require involving stakeholders.
  • Data Loss Prevention solutions must be implemented correctly and well maintained.
  • Data Loss Prevention solutions are complex. Encryption is necessary because it protects data.

Email Encryption And DLP – One Solution For POPIA Compliance


Like other compliance standards, the POPIA mandates “appropriate, reasonable technical and organizational measures” to prevent the loss of damage and or unauthorized access to personal information.

The POPIA sets out four broad ways in which all parties must secure personal information:

  • Identify internal and external risks
  • Establish and maintain safeguards
  • Regularly verify safeguards
  • Continually update safeguards

The POPIA also requires responsible parties to keep up-to-date with any sector-specific security standards and professional regulations and ensure any operators also apply security safeguards to personal information.

Management of DLP tools over time requires continuous evaluation and tuning. Over time, these tools become unmanaged and lose their effectiveness. Many organizations only turn on “the basic DLP” rules because of the lack of resources to manage the solution full-time. The hacker community knows that most security adaptive controls rarely get fully deployed, except for organizations that spend big dollars outsourcing to an MSSP or MSP service.

The following events are some of the leading causes of data leaks in 2022.

  1. Misconfigured Software Settings.
  2. Social Engineering
  3. Recycled Passwords
  4. Poor Encryption
  5. Software Vulnerabilities
  6. Use of Default Passwords.

Gartner often references in their security reports the challenges of misconfigured security solutions impact expected outcomes of SecOps protection strategies.

Data Loss Prevention identified protected compliance content within the email message in parallel with email encryption. It instilled rules to prevent data from leaving through the email channel by enacting email encryption and DLP to protect information attempting to leave the organization unprotected.

Organizations complying with POPIA understand the need to prevent data loss. Within their controls to ensure proper governance, they should also review their rules over encryption, data sensitivity, and granular visibility to ensure compliance with the law and protect customer data using best practices. Enterprises should review:

  • Encrypt any email with sensitive corporate information. Enabling DLP policies as a system-wide adaptive control will ensure all messages that match a content privacy rule with encrypting the outbound message.

A particular concern to enterprises is showing and validating compliance with POPIA requirements. The areas mentioned will assist with the POPIA control requirements.

Email Encryption Solution From Trustifi


Trustifi One-Click Compliance™ and Data Loss Prevention features make it easy to prove POPIA compliance and ensure your data remains secure, even if an organization collecting consumer data forgets to encrypt an email manually. The email administrator quickly selects which standards and Data Loss Prevention policies must comply with POPIA. Trustifi’s intelligent AI Engine will scan all outbound emails for sensitive content such as student records and automatically encrypt them.

 With Trustifi’s One-Click Compliance™, the solution takes the complexity out of compliance.

For an additional layer of security between potential attackers and your sensitive data, you can request that recipients verify their identities via multi-factor authentication (MFA).

With Trustifi, organizations collecting consumer information can send secure encrypted emails without remembering to click the encrypt email button. Just as quickly, recipients open an encrypted email with a single click even if they don’t have Trustifi themselves.

The email administrator sets all the DLP and email encryption policies on the backend to prevent accidental data loss of POPIA confidential information sent externally. Other solutions require users to log in to a portal to access encrypted emails, adding complexity to

“One-Click” Encrypt And Decrypt With Trustifi

Trustifi makes sending and opening emails simpler than ever. No log-ins, portals, or passwords are needed.


Groundbreaking Technology Supporting Optical Character Recognition Technology


Trustifi’s OCR technology uses machine learning to scan email attachments such as images and PDF files. It recognizes elements such as a credit card scan or a screenshot of a financial statement and categorizes those attachments as sensitive. The attachment files are automatically encrypted, reducing the opportunity for employees/individuals to transmit unprotected confidential material.


Emails Get Automatically Scanned


The system automatically scans outgoing emails, applies the rules your administrator sets, and then finds the no input from the user. This ensures that sensitive data and attachments are not at risk before they reach their intended recipient and are protected from the prying eyes of hackers.




Trustifi’s email security services feature a comprehensive suite of email tools for advanced threat protection, easily configurable Data Loss Prevention, and enterprise email encryption. Trustifi’s easy-to-use software is unmatched in its user-friendliness, flexibility, and cost-effectiveness. Trustifi’s time to value, ease of deployment, and lower cost of ownership for SecOps make the company culture secure and a financial match for any client seeking email security, data exfiltration, and message encryption.

Why Trustifi?


Trustifi is a cyber security firm featuring solutions delivered on software as a service platform. Trustifi leads the market with the easiest to use and deploy email security products, providing both inbound and outbound email security from a single vendor.

Trustifi has an extensive roster of clientele throughout North and South America, Europe, and the Asia Pacific. As a global cybersecurity provider of both inbound and outbound email protection, Trustifi currently supports customers from countries including the USA, Canada, Brazil, the Dominican Republic, the UK, the Netherlands, India, the UAE, China, and Japan, Cyprus, the Philippines, and more. The company has also developed “One-Click Compliance” capabilities that cater to a range of security regulations worldwide, including PDPO for Hong Kong, POPI for South Africa, GDPR for Europe, and LGPD for Brazil.

Request A Demo: Trustifi: Email Security Solutions


Whether you’re looking for an extra layer of protection in your existing email environment or a complete suite solution, the expertise and simplicity Trustifi offers will exceed your expectations. Let’s talk about a customized email security plan that perfectly fits your needs.