POPI Act Compliance

POPI ACT COMPLIANCE AND DATA PROTECTION

Intelligent and Secure Cloud Hosted Firewalls 

 

The POPI Act (POPIA) is here – So now what? POPIA has finally begun and organisations must abide and be compliant by 30 June 2021. 

If you are not sure or have not checked your POPI compliance, ASG can assist your business with this today – contact NSPE

 

NSPE offers insights on POPI Act compliance and data protection.

 

What are the questions that need to be raised among ourselves?

As you are aware, with the advent of any new technology there is never a shortage of experts making attempts to sell offerings associated with the new technology in some form or other. Typically, these include corporate workshops and conferences, educational solutions, and programmes including e-learning and online training courses, as well as legal expertise, and consulting services, among others. We suggest that as a business leader you need to answer the following 5 critical questions regarding the POPI Act:


 

1. Do we as an organisation need to comply with the requirements of POPIA?

For most organisations, the answer is a resounding yes, however, in contrast to the GDPR, POPIA does not apply extraterritorially, meaning that it applies solely to organisations within South African borders. Essentially, if you are domiciled in South Africa or if you process personal information and data in South Africa, then you need to comply with POPIA. The processing of some personal information is exempt, for example, if you are processing information and data strictly in a private or personal capacity or as a household activity then POPIA will not apply. 

 

2. Do organisations need a high-level awareness of the POPI Act?

Knowledge is Power. Having a high-level awareness of POPIA within the organisation is key to the decision-making processes that follow in taking the necessary steps to better serve your clients’ best interests.

 

3. Who is the proper person to be responsible for ensuring organisational POPIA compliance?

By default, every organisation should have an Information Officer. If not, now is the time to appoint an Information Officer. This position is responsible for ensuring POPIA compliance for the organisation.

 

4.What are the subsequent steps for my organisation?

Firstly, do not panic—there is time to prepare. At NSPE we believe that data and information protection is like personal fitness—develop a training programme and set goals—it takes time and discipline.

 

5. What is the impact of POPIA on my organisation?

To ensure that you are making the best decisions for your organisation and your clients it is imperative that you have a good understanding of the impact of POPIA for your organisation  Complying with POPIA isn’t a case of one-size fits all. Different organisations will require different requirements for achieving compliance. For example, what an SME has to do to become compliant is vastly different from what a medium- or large-sized organisation will be required to do to become compliant. An organisation’s requirements are also contingent on the existing foundations that have already been engineered to secure personal data and information. Some organisations might have several security foundations in place whereas others will be completely new to the issues at hand.

 

What are NSPE's Cloud Hosted Firewall, VPN and SD-WAN features?

The impact of a data breach or cybercrime activity within your organisation can seriously impact your business reputation as well as your business relationships. To be more specific:

 

Customers and/or client loyalty will be eroded, this in itself will have a major impact on day-to-day business activities that will negatively impact sales and profitability. A further debilitating consequence is that your organisation may be rendered legally liable to third parties.

 

Oftentimes, data breaches and/or cybercrime activity result in prolonged network interruptions that can further damage your bottom-line and reputation. Network interruption may also be a further requirement to allow forensic and/or legal experts to investigate the extent of the breach.

Organisations that in the unlikely event fall victim to a data security breach and/or cyber-attack can be contractually liable to their business partners. This often includes substantial financial penalties and/or may result in a breach or termination of important business contracts. Organisations may also be contractually liable to other contracting 3rd parties.

Once the applicable legislation regarding data breaches and/or cybercrime activity has been disseminated in South Africa, organisations will become liable for among other, notification costs, regulatory investigation costs, and/or litigation costs, including criminal sanctions, damages and penalties.

 

Where a breach has taken place, organisations may need to notify individuals as well as deal with the negative impact on the organisation’s brand as well as the customer/client loyalty. Organisations that intentionally or accidentally don’t comply with the POPIA will subject be severe penalties. Depending on the seriousness of the breach, the act makes provision for fines of up to R10 million and/or a jail sentence of up to 10 years.

 

The onus is therefore on organisations to ensure that their data and/or information is adequately protected to prevent loss or theft.

 

HOW CAN WE GO ABOUT PREVENTING A DATA BREACH?

Take a look at some of our tips to help you protect your data and/or information. Here are a number of best practice recommendations to follow to help minimise the risk of data breaches.

Keep All Security Software Updated:

Ensure all security software is kept updated and regularly patched to prevent vulnerabilities being exposed to cybercriminal exploitation.

Perform Regular Risk Assessments:

Carry out regular vulnerability assessments to review and address any changes and/or additions as well as identify new data protection risks. Aspects to consider should include backup and data storage as well as remote access working for employees. The relevant IT policies and procedures should also be updated to include the latest technologies and best practices.

Data Encryption and Backup:

Work devices such as notebooks issued to staff should have personal data and information encrypted. Also, instead of using portable backup devices that can be lost or stolen, data and information should be backed up using remote service technologies that use a secure connection via the Internet.

Awareness Training for Staff:

Staff must be trained to follow best practices. Awareness must include social engineering vigilance and how to avoid mistakes that can lead to security breaches. Security Awareness training should be conducted on a regular basis to form part of creating the necessary company culture.

Ensure Data Protection Standards are Maintained with Vendors and Partners:

Organisations must ensure that 3rd party companies handling your customer data and/or information also have the necessary security compliance practices and systems in place to protect their data and/or information.

3rd Party Data Security Evaluations:

Security experts normally advise on the best available solutions to help reduce the risk of a breach. To demonstrate a serious intention to ensure data protection the use of a 3rd party security expert to carry out an evaluation will provide you with an independent risk review and analysis of your current environment.

PREPARING YOUR BUSINESS FOR POPIA COMPLIANCE:

To ensure that your response is both quick and effective, a comprehensive incident response plan is imperative. It is of the utmost importance therefore to regularly question what security protocols and programmes are in place to deal with possible data breaches and/or cyber-attacks.

 

Sophisticated cyber-attack incidents are on the rise across the globe, and South Africa is not excluded. Organisations will do well to expand their efforts to mitigate the consequences of these inevitable attacks. A primary objective for an organisation at this juncture must be to implement the right measures to mitigate and manage the extent of any potential cyber-security threat.

 

The latest report published by ACCENTURE during this pandemic reported showed that South Africa has the third-highest number of cyber-attacks in the world and that users are naïve not to realize the relevant risks. The report surmises the reasons South Africa is an attractive target:

 

Threat actors may perceive South African organisations as potentially having lower defensive barriers than those in more developed economies. They may also think they face a lower chance of incurring consequences for their malicious activity. That’s because there is low investment in cybersecurity and developing cybercrime legislation in South Africa. Threat actors are certainly taking notice. On the whole, we as South Africans have been criticized, by all accounts, as being behind the curve when it comes to secure remote working. 

 

To help limit your exposure, increase client/customer confidence, ensure reduced recovery time and costs, and to keep any reputational damage to a minimum.

 

NSPE OFFERING A RANGE OF SECURITY SERVICES ASSESSMENTS AND REPORTS:

  • Vulnerability Assessment (Wide Area Network or WAN)
  • Vulnerability Assessment (Local Area Network or LAN)
  • Vulnerability Assessment Report(s)
  • Vulnerability Assessment Remediation Implementation
  • Project Plan Vulnerability Assessment Implementation
  • Clean-up and Remove Malware in the Network
  • IT Compliance Documentation for POPIA