What It Is

Protection of Personal Information Act, 2013 (Act 4 of 2013)—POPIA—is South Africa's comprehensive privacy regulation enforcing lawful processing of personal information for natural and juristic persons. Its risk-based, accountability-driven approach structures compliance around eight conditions in Chapter 3, overseen by the Information Regulator.

Key Components

• **Eight conditionsAccountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation.
• **Core elementsData subject rights (access, correction, objection), mandatory Information Officer, operator contracts, breach notification (Section 22), prior authorisation for high-risk activities.
• **Compliance modelDemonstrable controls via documentation, audits, no formal certification but enforceable via fines up to ZAR 10 million.

Why Organizations Use It

• Legal mandate for all processing personal information in South Africa.
• Mitigates fines, imprisonment, civil claims; enhances trust, operational efficiency.
• Strategic for GDPR-aligned multinationals, B2B data handling.

Implementation Overview

• **Phased approachGap analysis, data mapping, governance, controls, training.
• Applies universally across sectors, sizes; focuses on high-risk first.
• Requires ongoing audits, no certification but Regulator scrutiny.

What It Is

IEC 62443 is the international consensus-based series of standards for securing Industrial Automation and Control Systems (IACS). It provides a comprehensive, risk-based framework spanning governance, risk assessment, system architecture, and component requirements tailored to OT environments with unique constraints like availability and safety.

Key Components

• Four groupings: General (-1), Policies (-2), System (-3), Components (-4).
• Seven Foundational Requirements (FR1-7) like authentication, integrity, and availability.
• Zones/conduits model, Security Levels (SL0-4) with SL-T/C/A triad.
• ~127 CSMS requirements; ISASecure certifications (SDLA, CSA, SSA).

Why Organizations Use It

• Mitigates OT cyber risks, ensures safety/reliability.
• Meets regulatory references (e.g., NIS-2), supply chain demands.
• Enables certified procurement, reduces downtime/insurance costs.
• Builds stakeholder trust via shared responsibility model.

Implementation Overview

Phased: governance (2-1), risk assessment (3-2), controls (3-3/4-2), certification. Applies to critical infrastructure globally; requires OT expertise, audits for maturity (ML1-4).