POPI Compliance: Don’t let POPI cost you or your clients their business here are tips to get a head start!

POPI applies to almost all organisations across every industry and sector of society, and the consequences for non-compliance are significant (fines up to R10 million or jail sentence up to 10 years). If it affects you, you will need to start to thinking about compliance now. Our supplier created a microsite designed to help you understand the POPI Act, quantify the requirements, and offer solutions.

POPI states that ‘appropriate, reasonable technical and organisational steps’ to prevent personal information from being unlawfully handled, and that international standards (like GDPR) and laws should be considered.

IT Security as a Solution for Compliancy | The 3 Pillars of IT Security

1. The Fundamentals: Endpoint Protection
The ever-increasing cyber threats such as ransomware, phishing or social engineering present risk to your data and a successful attack can bring about both a data and financial loss to an organisation. ESET Endpoint Protection uses multi-layered, next-generation technologies that go far beyond basic virus scanning that should form the foundation of any basic IT security setup.

2. Integrity through secure system access
Weak or lost passwords are among the greatest security risks to a system. No amount of security can be effective if passwords are compromised. ESET Secure Authentication is a two-factor authentication product that minimizes the risk of passwords becoming compromised and allowing attackers to gain unauthorised access to your system and data.

3. Confidentiality through encryption
Maintaining the confidentiality of personal information is a key requirement of POPIA, especially account numbers and ‘special personal information’. The GDPR specifically prescribes encryption as a mandatory measure towards data privacy, and therefore encryption is a necessity for POPIA compliance. DESlock Encryption by ESET is an effective measure for protecting highly sensitive information, as well as providing a safeguard against a data breach if a portable storage device is misplaced, intercepted or stolen.

Here are 5 steps to Aid your journey towards POPI compliance:

1. You need to know what is required
It is important that you know what role you play in the context of POPI – if you are a responsible party or an operator. A responsible party, for example, is the person that collects the information.

Mobile phone companies, as an example, would be a responsible party because when you sign a contract with them, they collect your personal information. A third-party service provider that may do billing for the mobile phone company would be defined as an operator – and the operator is expected to operate their business under the controls defined by the responsible party.

Therefore, it is essential that first-things-first you understand the role you play within POPI.

2. Get a broad understanding of what Personal Information you hold Information is not just personal information on individuals, it is also your juristic entity information. The business needs to get a proper understanding of what the information it currently holds or process on both parties.

3. Get an understanding of how you process the information
Do you use third-party applications, is there a limitation on who can and can’t access information? What is the actual information architecture around the data?

If you are providing third-party access, have you got mitigating controls in place to ensure how they access the information is secure. Is it stored in a secure format, is it encrypted?

4. What would happen should I ever be compromised?
If you have a third-party supplier that are accessing or processing Personal Information on your behalf, what would be the impact to your organisation should there be some loss of fidelity to your personal information by the third party.

5. What controls do I need to implement?
Based on the answers to number four, you can then review what current controls you have in place, and what controls you need to put in place.

It is more than likely the regulator will make an example of a company or find a breach which they will have to act on, and then use the responsible organisation as an example. We ask the question: Do you want to be the business that the regulator decides to make an example of?

For more information as to how ESET solutions can assist with POPI compliance simply email: info@atcompsolutions.co.za