The POPI Act (Protection of Personal Information Act) officially commenced on the 1st of July 2020 when it was signed into effect by the President. This means that businesses now have one year to ensure their IT security is compliant with the Act’s requirements.
In this cybercrime-ridden age, the security of personal information in your care must take centre stage on the business risk agenda. Our security experts have compiled valuable information on the POPI Act and POPI compliance in South Africa.
POPI Compliance South Africa
In SA, businesses and public institutions must comply with POPI, the Protection of Personal Information Act No.4 of 2013, and now have a hard compliance deadline of 30 June 2021.
Companies are required to securely manage the data capture and storage process related to any personal information of customers and employees.
The assumption that POPI only applies to large organisations processing millions of personal records is inaccurate, since small businesses are equally responsible for protecting personal information.
While POPI allows a year for compliance, the principle behind the Act is that companies are urged to comply sooner rather than later.
The consequence for non-compliance is penalties of up to R10 million in fines or even jail sentences, not to mention paying compensation to individuals for the damages they may have suffered.
In a recent white paper on POPI compliance, it was revealed that most South African companies do not have the necessary controls recommended in the POPI Act, which means that minimum standards for IT security are currently not being met.
The POPI Act should not be viewed as an inconvenient legal burden, but as a key component of a company’s cyber risk mitigation strategy.
The Rise Of Business Cyber Risk
One only has to consider the fact that the average cost of a data breach in South Africa is R36,5 million to understand the financial risk to a business.
The likelihood of being hacked is also on the rise with recent figures showing businesses are constantly under attack, with more than 22 million attempts a week.
In the first six months of 2020 nearly 16 billion records of various Fortune 500 companies in the U.S. were exposed to substantial data breaches.
Hackers sold account credentials, sensitive data, as well as confidential and financial information of large companies including the likes of Twitter and Zoom.
Cast your mind back to 2018 and the Facebook data breach where British Analytics firm got access to the personal information of up to 87 million users to influence various elections across the globe.
And then there is the recent South African credit bureau attack where 24 million records were stolen.
Both the reputational and financial risks related to data breaches like these should be enough to spur companies into action. Today it is not a matter of if your company will be hacked, but when!
How Does POPI Reduce This Risk?
Through the Act, businesses must comply with certain minimum requirements when processing personal information of customers and employees.
These requirements include:
- A company cannot outsource the obligation of processing of personal information to another party. They are 100% responsible and liable for the processing of the information from the time it is processed until it is deleted.
- Personal information can only be collected for a valid and lawful reason and must not be retained for longer than it is needed (unless legally required).
- Customers and employees must be made aware of – and consent to – the personal information being processed. This includes being made aware of the type of information being processed and the purpose it is being held for.
- Personal information must be secured, and companies have to take appropriate reasonable and technical actions to prevent data loss, damage and unlawful access.
- Personal information cannot be disclosed to any other party unless the customer or employee gives consent.
- The information must be destroyed in a controlled way when the reason the information was collected and held in the first place is no longer valid.
- Companies must ensure personal information stored on removable media, such as memory sticks, is also protected.
- POPI also aims to protect individuals when it comes to unsolicited electronic communications. Any company sending messages or emails to customers without an opt-in and opt-out process could land up in hot water.
POPI Act And IT Security
POPI compliance should not be viewed as a once-off project, rather it is a fundamental activity that should be incorporated at a business, IT and operations level.
A company’s IT Security and POPI compliance should also be reported on at board level, with oversight at an executive level, as the consequences of a personal information breach are too important to ignore.
In the absence of an information officer, the CEO is responsible and liable for POPI compliance by default which is an indicator of how seriously it should be taken.
And while it may be difficult to expect a CEO or an MD to take on the responsibility of an information officer, the fact is the importance of IT security must be driven from the top.
Besides a dedicated information officer who is responsible for driving compliance, an experienced IT security specialist must be included as a vital part of your POPI compliance team.
POPI Act And Data Protection/Breaches
According to ENHALO’s security experts, an IT security strategy that provides adequate data protection against breaches is only effective when it has a multi-layered and best practice approach which includes:
- Conducting Security Gap analyses
- Implementing ongoing risk assessment
- Consistent vulnerability scanning and penetration testing
- Deploying best practice technologies that cover attack vectors
- A strict data protection policy
- Secure access points
- Remote Endpoint Security Management (RESM)
- Proactive monitoring for external and internal threats with advanced network monitoring and security detection platforms
- Incident response processes and procedures
- Incident response technologies such as Data Loss Prevention (DLP), Security Information & Event Management (SIEM), Security Orchestration, Automation & Response (SOAR) solutions, and User & Entity Behaviour Analytics (UEBA).
ENHALO’s Approach To POPI Compliance
We believe that cybersecurity risks equate to business risks. An organisation can only mitigate business risk with the right IT security approach. Partnering with ENHALO to detect, prevent and protect your business and clients’ data, will provide assurance that your business is secure and compliant.
Our IT security solution involves the following core services:
- A Continuous Breach Detection Service (CBDS) platform
- User & Entity Behaviour Analytics (UEBA)
- Cyber Threat Hunting
- Digital Forensics and Incident Response
- Complete protection of your entire information environment with Security Information & Event Management (SIEM), Security Orchestration, Automation and Response (SOAR) combined with UEBA.
- Security and Network Operations Centre (SNOC). Advanced network monitoring and security detection to enable proactive, rapid response to incidents, meeting compliance requirements. Our managed SNOC provides you with budget predictability through a set monthly fee; it is cost-effective and our onboarding process gets the SOC/NOC operational within 48 hours.
To round off the six core pillars Enhalo also provides comprehensive gap analysis, email security, firewall management and next-generation antivirus to protect your IT assets.
Why Partner With ENHALO For Your POPI Compliance?
Ensuring POPI compliance in South Africa is different for each company, as there is no one size fits all approach. What your company needs will relate very much to your specific business and the foundations you already have in place to protect your network and data.
ENHALO (Pty) Ltd is the most agile and progressive cyber technology company in South Africa with a complete range of cybersecurity offerings to ensure tailored POPI compliance.
For POPI peace of mind and a tailored compliance plan for the next 12 months, connect with us today.
Disclaimer Insights and press releases are provided for historical purposes only. The information contained in each is accurate only as of the date material was originally published.