POPI Act, Are You Compliant?

The POPI Act (Protection of Personal Information Act) officially commenced on the 1st of July 2020 when it was signed into effect by the President. This means that businesses now have one year to ensure their IT security is compliant with the Act’s requirements.

In this cybercrime-ridden age, the security of personal information in your care must take centre stage on the business risk agenda. Our security experts have compiled valuable information on the POPI Act and POPI compliance in South Africa.

POPI Compliance South Africa

In SA, businesses and public institutions must comply with POPI, the Protection of Personal Information Act No.4 of 2013, and now have a hard compliance deadline of 30 June 2021.

Companies are required to securely manage the data capture and storage process related to any personal information of customers and employees.

The assumption that POPI only applies to large organisations processing millions of personal records is inaccurate, since small businesses are equally responsible for protecting personal information.

While POPI allows a year for compliance, the principle behind the Act is that companies are urged to comply sooner rather than later.

The consequence for non-compliance is penalties of up to R10 million in fines or even jail sentences, not to mention paying compensation to individuals for the damages they may have suffered.  

In a recent white paper on POPI compliance, it was revealed that most South African companies do not have the necessary controls recommended in the POPI Act, which means that minimum standards for IT security are currently not being met.

The POPI Act should not be viewed as an inconvenient legal burden, but as a key component of a company’s cyber risk mitigation strategy.

Read the official POPI act here

The Rise Of Business Cyber Risk

One only has to consider the fact that the average cost of a data breach in South Africa is R36,5 million to understand the financial risk to a business.

The likelihood of being hacked is also on the rise with recent figures showing businesses are constantly under attack, with more than 22 million attempts a week.

In the first six months of 2020 nearly 16 billion records of various Fortune 500 companies in the U.S. were exposed to substantial data breaches.

Hackers sold account credentials, sensitive data, as well as confidential and financial information of large companies including the likes of Twitter and Zoom.

Cast your mind back to 2018 and the Facebook data breach where British Analytics firm got access to the personal information of up to 87 million users to influence various elections across the globe. 

And then there is the recent South African credit bureau attack where 24 million records were stolen.

Both the reputational and financial risks related to data breaches like these should be enough to spur companies into action. Today it is not a matter of if your company will be hacked, but when!

How Does POPI Reduce This Risk?

Through the Act, businesses must comply with certain minimum requirements when processing personal information of customers and employees.

These requirements include:

  • A company cannot outsource the obligation of processing of personal information to another party. They are 100% responsible and liable for the processing of the information from the time it is processed until it is deleted.
  • Personal information can only be collected for a valid and lawful reason and must not be retained for longer than it is needed (unless legally required).
  • Customers and employees must be made aware of – and consent to – the personal information being processed. This includes being made aware of the type of information being processed and the purpose it is being held for.
  • Personal information must be secured, and companies have to take appropriate reasonable and technical actions to prevent data loss, damage and unlawful access.
  • Personal information cannot be disclosed to any other party unless the customer or employee gives consent.
  • The information must be destroyed in a controlled way when the reason the information was collected and held in the first place is no longer valid.
  • Companies must ensure personal information stored on removable media, such as memory sticks, is also protected.
  • POPI also aims to protect individuals when it comes to unsolicited electronic communications. Any company sending messages or emails to customers without an opt-in and opt-out process could land up in hot water.

POPI Act And IT Security

POPI compliance should not be viewed as a once-off project, rather it is a fundamental activity that should be incorporated at a business, IT and operations level.

A company’s IT Security and POPI compliance should also be reported on at board level, with oversight at an executive level, as the consequences of a personal information breach are too important to ignore. 

In the absence of an information officer, the CEO is responsible and liable for POPI compliance by default which is an indicator of how seriously it should be taken.

And while it may be difficult to expect a CEO or an MD to take on the responsibility of an information officer, the fact is the importance of IT security must be driven from the top.

Besides a dedicated information officer who is responsible for driving compliance, an experienced IT security specialist must be included as a vital part of your POPI compliance team.

POPI Act And Data Protection/Breaches

According to ENHALO’s security experts, an IT security strategy that provides adequate data protection against breaches is only effective when it has a multi-layered and best practice approach which includes:

  • Conducting Security Gap analyses
  • Implementing ongoing risk assessment
  • Consistent vulnerability scanning and penetration testing
  • Deploying best practice technologies that cover attack vectors
  • A strict data protection policy
  • Secure access points
  • Remote Endpoint Security Management (RESM)
  • Proactive monitoring for external and internal threats with advanced network monitoring and security detection platforms
  • Incident response processes and procedures
  • Incident response technologies such as Data Loss Prevention (DLP), Security Information & Event Management (SIEM), Security Orchestration, Automation & Response (SOAR) solutions, and User & Entity Behaviour Analytics (UEBA). 

ENHALO’s Approach To POPI Compliance

We believe that cybersecurity risks equate to business risks. An organisation can only mitigate business risk with the right IT security approach. Partnering with ENHALO to detect, prevent and protect your business and clients’ data, will provide assurance that your business is secure and compliant.

Our IT security solution involves the following core services:

  1. A Continuous Breach Detection Service (CBDS) platform
  2. User & Entity Behaviour Analytics (UEBA)
  3. Cyber Threat Hunting
  4. Digital Forensics and Incident Response
  5. Complete protection of your entire information environment with Security Information & Event Management (SIEM), Security Orchestration, Automation and Response (SOAR) combined with UEBA.
  6. Security and Network Operations Centre (SNOC). Advanced network monitoring and security detection to enable proactive, rapid response to incidents, meeting compliance requirements. Our managed SNOC provides you with budget predictability through a set monthly fee; it is cost-effective and our onboarding process gets the SOC/NOC operational within 48 hours.

To round off the six core pillars Enhalo also provides comprehensive gap analysis, email security, firewall management and next-generation antivirus to protect your IT assets.

Why Partner With ENHALO For Your POPI Compliance?

Ensuring POPI compliance in South Africa is different for each company, as there is no one size fits all approach. What your company needs will relate very much to your specific business and the foundations you already have in place to protect your network and data.

ENHALO (Pty) Ltd is the most agile and progressive cyber technology company in South Africa with a complete range of cybersecurity offerings to ensure tailored POPI compliance.

For POPI peace of mind and a tailored compliance plan for the next 12 months, connect with us today.

Gerhard Conradie Co-Founder and Global Head of Solutions Architecture at Enhalo
Gerhard Conradie

Gerhard, Co-Founder and Global Head of Solutions Architecture, sees quality staff as the most important asset to any business, and believes that giving them the space to grow as much as they are willing and able to, motivates them to grow Enhalo as well.

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.

Insights

360 Security
Must Know Cyber
Security Services

Resources

WEBINARS
MEDIA
SON OF A BREACH
CASE STUDIES
USE CASES

Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: