Seven practices to ensure compliance with SA’s POPI Act

The latest country to enact stringent data privacy legislation is South Africa, with the new Protection of Personal Information Act (POPI Act or POPIA). POPI sets a new standard for the processing of South African constituents' personal information by public and private bodies within and outside of the country’s borders. Organisations doing business in South Africa need to ensure their information security practices are updated to meet POPI compliance.

What is the purpose of the POPI Act?

The POPI Act sets in place regulations governing South Africa’s constitutional right to privacy, by safeguarding personal information when processed by a responsible part to balance the right to privacy against other rights, particularly the right of access to information; and protecting important interests, including the free flow of information within the Republic and across international borders. It also aims to regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information.

What information security measures do I need to take?

Section 19 clearly lays out what you need to do from a security perspective in great detail. Here’s a quick summary of what’s required for compliance:

1. A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:

1. Loss of, damage to or unauthorised destruction of personal information; and
2. Unlawful access to or processing of personal information.

2. In order to give effect to subsection (1), the responsible party must take reasonable measures to:

1. Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
2. Establish and maintain appropriate safeguards against the risks identified;
3. Regularly verify that the safeguards are effectively implemented; and
4. Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Seven practices to defend and protect personal data in your care

With penalties for data privacy violations growing in South Africa, and worldwide, organisations need to quickly assess their information security practices. The key to success is to balance the pervasive access to information made possible by enterprise collaboration applications – including data sharing tools, messaging apps and e-mail – while maintaining compliance with POPI and other regulations. Collaboration tools quite simply make it easy for employees to inadvertently share regulated information with unauthorised parties, or worse, steal it for malicious purposes. Regardless of the cause, your organisation is on the hook in the event of a breach.

“While this may seem like a daunting task, there are many solutions that can help you ensure POPI compliance and mitigate risk. A data-centric approach to managing compliance is a must to comply with POPI,” said Sean Glansbeek, CEO at Private Protocol.

Protection must be applied to the data itself as opposed to just the application or container in which it resides to best protect against breaches and compliance violations as it passes though digital hands within and outside your organisation.

Nucleus Cyber offers an advanced information protection solution that can help ensure your organisation is in compliance with the POPI Act information security mandates. The company’s NC Protect solution provides a simpler, faster and more cost-effective solution to tailor information protection to control user access to and sharing of regulated personal data and other sensitive information (intellectual property, financial information, healthcare information, HR documents, etc) in file sharing, messaging and chat across cloud, on-premises and hybrid collaboration tools.

NC Protect empowers organisations to implement and enforce POPI information security measures with an automated solution to:

1. Locate personal data that currently exists within the various storage repositories and tools used for file storage and collaboration, including on-premises files shares and cloud sharing applications including Microsoft Office 365 – SharePoint, OneDrive and Exchange, plus Dropbox, Nutanix Files and Windows file shares.
2. Automatically classify documents based on the presence of personal or other sensitive data governed by POPI and other regulatory guidelines.
3. Set business rules with your classifications to restrict actions that can be taken with classified documents such as print, e-mail, save as or downloading to prevent data leakage.
4. Ensure that documents accessed and shared in group messaging and chat tools like Microsoft Teams and Yammer have the same data security restrictions as other collaboration tools.
5. Restrict collaboration between users in different geographical locations or subsidiaries to meet regulatory guidelines (information barriers).
6. Automatically adapt security controls to the changing risk profile of data as users and third parties access and collaborate across multiple locations, organisational and geographic boundaries, and devices.
7. Track access to regulated personal data for auditing and compliance purposes.

Ensure compliance without sacrificing collaboration

Protecting data governed under POPI is of utmost importance for organisations doing business in South Africa – not doing so will harm both your brand’s reputation and your bottom line. Organisations must strive to keep the right balance between what users need from a collaboration perspective and what the organisation demands from a security perspective to remain in compliance.

NC Protect’s advanced information protection capabilities can help you ensure compliance with POPI, as well as other international data regulations and business policies – without sacrificing the advantages of collaboration.