How compliant are you?
Like many things in business, compliance is a dynamic factor with organisations often fluctuating above or below the target line. Without systems in place to address the range of risks faced, and building a culture of compliance, you will be exposed to unnecessary risks on an ongoing bases. We can help you to stay above the line.
With the Protection of Personal Information Act (POPI) coming into effect in 2018, the onus is on any holder of Personal Information (“PI”) within a company to take precautions against a self-assessed threat and use level in an environment of increased malicious intent.
Best practice is not defined in POPI, rather a checklist can be derived against which a company measures itself and can be measured against in case of breach.
- Software Encryption – prevent your software being reverse engineered or tampered with.
- Data Encryption – ensure files, where Personal Information is stored, are encrypted.
- Secure PI data whilst in transmission or at rest.
- Use only industrial-grade computer/device passwords.
- Actively maintain your firewalls.
- Protect and secure PI and IP – if there is an attempted breach, it can be repelled.
- Use a system that can restrict data when lost or stolen?
- Access to a system that allows exit process when a client or employee leaves?
What happens if there is a security breach?
In terms of POPI you need to be proactive as the law puts an obligation on you to report a breach.
In terms of section 22 of the Act: Notification of security compromises.
- Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify
a) the Regulator; and
b) subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
The law also determines that the notification to the data subject must be in writing and communicated in one of the following ways:
- mailed to the data subject’s last known physical or postal address;
- sent by e-mail to the data subject’s last known e-mail address;
- placed in a prominent position on the website of the responsible party;
- published in the news media; or
- as may be directed by the Regulator.
The following information needs to be disclosed in the notification:
- a description of the possible consequences of the security compromise;
- a description of the measures that the responsible party intends to take or has taken to address the security compromise;
- a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
- if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
Conclusion
In preparation for POPI you should consider your current processes, access rights and security measures. Data protection and encryption systems represent around 30% of your total compliance requirements. Make sure you use world-leading technology like Wibu-Systems CodeMeter and Encrypter to achieve this. Regarding your other measures (training, physical access, data management) it is likely that some of these may need to be reviewed and new processes or systems implemented to ensure compliance. Remember that POPI does not provide for a defined list of measures to implement. Always consider applicable industry best practice and standards and make sure that you can comply.
