As if is not challenging enough that your business must deal with the Protection of Personal Information Act (POPIA) in the year of COVID-19, now enters IT specialists who advise you on compliance, know of things such as spear phishing and worms in their world where cookies are not sugary treats, a crash has nothing to do with vehicles colliding, clouds are not the ephemeral fluffy white cumulus we see floating in the sky, and a dark web is not from a Harry Potter movie.
Our Thought of the Week shared on Tuesday addressed a misconception amongst business owners that the task to comply with POPIA is an IT responsibility. This is not accurate, despite the very important part that IT safeguards play in achieving compliance. This is because complying with POPIA is ultimately a people challenge, as we explained in previous blogs. The crashes and leaks that endanger personal information happen at the hands of people. From ongoing training of staff to access control around information and even appointing a Privacy Officer, POPIA has the power to impact almost every aspect of your business, and it has ramifications for a number of your internal processes.
What does POPIA require?
Many headlines around information security failures involve cyber-related technology threats and breaches. In the cyber world, the range of potential scenarios for the loss of personal information is complex. This is indeed why POPIA, in condition 7 (“Security Safeguards”) requires businesses to take “appropriate, reasonable technical and organisational measures” to prevent “loss of, damage to or unauthorised destruction” and “unlawful access to or processing” when processing personal information.
How? By taking “reasonable measures” to do four things”
1. Identify reasonably foreseeable internal and external risks
Businesses are required therefore to implement a formal, structured approach to identifying risks, which ideally should involve a team effort. Risks may be found in the physical security environment, such as access control to business premises, theft or loss of digital devices and accidental or intentional disclosure or theft of personal information. But it does not end there: Technology risks covers a wide range of possibilities, including action by cybercriminals in a ransomware attack, corruption or loss of data through a malware attack, hacking of your network or individual digital devices and other techniques. Identifying the risk is not enough: each risk needs to be assessed for the potential and likelihood that it might strike at your business and be addressed accordingly.
2. Having appropriate safeguards in place
Once informed of the risks that are likely and reasonably to occur, the identified risks must be addressed. In other words, appropriate safety measures should be devised and implemented to ensure the protection of personal information. These may include physical access control and restraints (including “locking down” vulnerable information); technical measures aimed at addressing accidental and malicious cyber threats (such as sophisticated data loss prevention and endpoint protection systems); training of staff to raise awareness of the threats and appropriate prevention measures; policy amendments or updates as part of an effective governance regime; and an ongoing commitment to maintaining these safeguards.
3. Verify that the safeguards are working
Verification can be as simple as conducting a “clean desk” sweep to check that staff conform to the policy for personal information protection, or more sophisticated including simulated attacks (such as ethical hacking and social phishing); checks conducted by internal auditors or verification agencies.
4. Update your safeguards
Threats to information security are continually evolving in line with the technologies themselves. The challenges of securing personal information for which the organisation is responsible on a multiplicity of smartphones, tablets, flash drives and the like grow and changes daily. It is therefore not a once-off exercise to identify risks, but a complex and difficult ongoing task. So involve your IT team in the process of complying with POPIA, or let our Compliance Law Unit assist with your compliance, including an assessment of your IT risks.
Contact our Compliance Department on firstname.lastname@example.org for assistance to address your business’ POPIA compliance requirements.