Protecting personal information to take centre stage

The Protection of Personal Information (POPI) Bill is to be enacted during 2012. Organisations will need to adapt their policies and processes to comply with the new legislation, which includes eight key principles for dealing with or processing personal information, similar to those already in place across Europe.

Safeguarding personal information is a central concern of this law, which will require IT investment from South African companies perhaps accustomed to a more cavalier approach to data protection.

The loss of unprotected laptops, back-up devices and USB sticks have been consistently exposed in the European press for some time now. In South Africa, the last major incident to be reported was back in 2009, when Zurich Insurance admitted to losing the financial personal information of around 46 000 South African policyholders.

Even this incident probably received such wide coverage only because it involved a UK subsidiary. No one believes that a lack of reporting indicates data leakage is not present; however, data loss has to date been of limited concern to African companies, as long as information was backed up. With the advent of POPI, this attitude is set to change.

It is only a matter of time before South Africa follows global IT security trends. In countries where data protection legislation is more mature, regulators have moved away from being advisory bodies to one of enforcement. Heavy financial penalties are being given out to UK and US organisations in breach of their data protection responsibilities. So while complying with the new Bill may seem onerous, in the longer term, a failure to comply will result in financial implications that cannot be ignored. Moreover, for those organisations seeking to trade internationally, such standards are already becoming a prerequisite.

High-level encryption is now the standard way of protecting data in most firms, even when that data is carried around on a USB stick. Using encryption and policy-based network/IT resource security is a lot cheaper these days, and most solutions offer a level of automation, which minimises human intervention.

“The ease with which encryption and allied security technologies can be deployed to ensure data is automatically encrypted means it is a 'no-brainer' to install and use them,” says Jorina van Rensburg, CEO at Condyn. “Furthermore, the added benefit of being able to wipe data remotely if lost or stolen is a huge advantage.”

Remote access solutions provide the ability for users to securely access information without it ever leaving the organisation. Efficiently and securely delivering access not only to whole applications and servers, but enforcing tightly defined access, right down to folders, individual Web pages or even a single document, is another option for protecting sensitive information that is required for inter-agency collaboration.

Never forget the first line of defence for improving data protection is your users. It is vital that you bring them on board with any technical controls you decide to implement. Getting them to understand and accept why such security measures are required and why deviation from prescribed procedures poses a security risk to the organisation, and even a threat to their job security, often helps to focus minds. Only once people fully comprehend the reasons for security restrictions will you shift the prevailing casual attitude to data protection.

* Demonstrate senior management commitment to strong IT governance through policy and investment;
* Raise awareness among employees of the importance of protecting sensitive and confidential data;
* Ensure employees and contractors understand and carry out their responsibilities when handling personal information;
* Assess the risk to your data and where your organisation is most vulnerable;
* Put in place technical controls to prevent data loss; and
* Create a documented incident response plan to minimise the impact of any data breach.