What does POPIA require?
Many headlines around information security failures involve cyber-related technology threats and breaches. In the cyber world, the range of potential scenarios for the loss of personal information is complex. This is indeed why POPIA, in condition 7 (“Security Safeguards”) requires businesses to take “appropriate, reasonable technical and organisational measures” to prevent “loss of, damage to or unauthorised destruction” and “unlawful access to or processing” when processing personal information. How? By taking “reasonable measures” to do four things”
1. Identify reasonably foreseeable internal and external risks
Businesses are required therefore to implement a formal, structured approach to identifying risks, which ideally should involve a team effort. Risks may be found in the physical security environment, such as access control to business premises, theft or loss of digital devices and accidental or intentional disclosure or theft of personal information. But it does not end there: Technology risks covers a wide range of possibilities, including action by cyber criminals in a ransomware attack, corruption or loss of data through a malware attack, hacking of your network or individual digital devices and other techniques. Identifying the risk is not enough: each risk needs to be assessed for the potential and likelihood that it might strike at your business and be addressed accordingly.
2. Having appropriate safeguards in place
Once informed of the risks that are likely and reasonably to occur, the identified risks must be addressed. In other words, appropriate safety measures should be devised and implemented to ensure the protection of personal information. These may include physical access control and restraints (including “locking down” vulnerable information); technical measures aimed at addressing accidental and malicious cyber threats (such as sophisticated data loss prevention and endpoint protection systems); training of staff to raise awareness of the threats and appropriate prevention measures; policy amendments or updates as part of an effective governance regime; and an ongoing commitment to maintaining these safeguards.
3. Verify that the safeguards are working
Verification can be as simple as conducting a “clean desk” sweep to check that staff conform to the policy for personal information protection, or more sophisticated including simulated attacks (such as ethical hacking and social phishing); checks conducted by internal auditors or verification agencies.
4. Update your safeguards
Threats to information security are continually evolving in line with the technologies themselves. The challenges of securing personal information for which the organisation is responsible on a multiplicity of smartphones, tablets, flash drives and the like grow and changes daily. It is therefore not a once-off exercise to identify risks, but a complex and difficult ongoing task. So involve your IT team in the process of complying with POPIA, or let our Compliance Law Unit assist with your compliance, including an assessment of your IT risks.