Zoho And POPI Act Compliance

In today's blog we will help you understand what POPIA is, detail Zoho's commitment to POPIA compliance and explain the data controls that Zoho has put in place to help you keep your business data secure.

POPIA Explained

The POPI Act, also referred to as POPIA, stands for Protection of Personal Information Act. It lays down standards to secure and bring in accountability for collecting, storing, and processing of personal data. Any organisation that deals with the personal data of South African citizens must comply with the POPI Act.

Is Zoho POPIA compliant?

Absolutely! Zoho has made customer and user privacy their top priority for 20 plus years. Their suite of Software-as-a-Service solutions is used by numerous users in South Africa therefore they're committed to complying with the requirements of POPIA, in processing the personal information in both roles: as a Responsible Party and as an Operator.

Here are some (but not all) of the POPIA compliance commitments that Zoho has made:

> They only ask for the least amount of information necessary, gathering only what they believe is essential for doing business, or for the specific transaction at hand.

> They let customers know the information they have on them and allow them to opt out of specific engagements.

> They do not make a single rand from advertising revenue. This means that they avoid the fundamental conflict of interest between gathering customer information and fueling advertising revenue, and the unavoidable compromises in customer privacy that it brings.

> They have adapted their privacy policy for South Africa, which applies to the products and services provided by Zoho, their mobile applications, and applications posted by Zoho on Zoho’s online marketplace and in other third-party online marketplaces. You can read their full South African adapted privacy policy on their website.

Zoho offers data controls within their Zoho applications

Zoho provides their customers (operators) with the following data controls, so that they can ensure their business data, that is stored on Zoho's cloud applications, is secure and in compliance with POPIA:

Access Management

Zoho provides infrastructure for managing user accounts through Identity and Access Management (IAM) service by facilitating:

User registration, de-registration options, and specifications on how to use them.
Functionality for managing access rights of your cloud users.
Strong authentication techniques such as Multi-Factor Authentication and IP address restrictions.

Data Management

Zoho provides a platform for you to manage your data with:

Data sharing features for administrator and user-level controls.
Audit features on customer data to provide transparency on important activities and to track changes.
Data interoperability—the option to take a complete backup of data and configurations to migrate all or a part of your data to another SaaS provider.
Access limitations features to limit employees from accessing customer data and ensure that they can only do so if there is a specific reason.

Back-ups

As a Zoho user you can schedule a backup for your data, export it from its respective Zoho services, and store it locally in your infrastructure, if necessary.

Additional data security controls, that you can put in place

Now let's look at some additional controls that you can put in place to ensure your businesses data is secure and POPIA compliant, when using cloud-based applications, like Zoho.

Conduct Security Awareness With Your Teams

Start by raising awareness about the POPI Act in your organisation and how the process of collecting, storing, and processing personal information must be made secure and to be in tune with the POPI Act standards. Each employee, should sign a confidentiality agreement, after which they must undergo training in information security, privacy, and compliance.

Internal Security Audits

Run an extensive organisational program to check existing processes and identify any gaps or leaks which might prevent you from becoming compliant. Ensure you have a dedicated compliance team to review procedures and policies and continuously align them with the POPIA standards.

Endpoint Security

All workstations must be configured with anti-virus software. Ensure all team members workstations have strong passwords, enabled two factor authentication and automatically lock when they are idle.

Periodic Review

Do periodic internal reviews and facilitate independent reviews and assessments by third parties to ensure that you remain compliant.

Do you want to know more?

If you have any additional questions about Zoho's POPIA compliance, contact us on connect@dsltelecom.co.za