Four common POPIA myths debunked

Read time 3min 00sec
Brian Pinnock, cyber security expert, Mimecast.
Brian Pinnock, cyber security expert, Mimecast.

After a lengthy process, local organisations have to ensure they are fully compliant to the provisions of the Protection of Personal Information Act (POPIA), as the grace period for implementing appropriate measures comes to an end.

This leaves every business that collects, processes, shares, or stores the personal data of SA citizens, organisations or legal entities at risk of being in contravention of POPIA's provisions, if they haven’t done so.

That’s according to Brian Pinnock, a cyber security expert at Mimecast, who says POPIA establishes eight minimum requirements for the lawful processing of personal data, but the provision most fraught with risk is arguably security safeguarding.

“Cyber security teams and their technology partners play a vital role in protecting the organisation not only from cyber attacks, but also from the subsequent regulatory risks associated with successful data breaches,” he says.

As organisations scramble to ensure they are POPIA-compliant, he cautions them not to get caught out by four common POPIA-related myths:

Myth #1: A data breach only happens when data leaves the organisation

The traditional view of a data breach is one of data exfiltration, where data is 'stolen' from an organisation's systems. However, Pinnock says data does not need to leave the organisation for it to be considered a data breach. POPIA applies to any unauthorised access to personal information, and even data that is encrypted in an attack constitutes a data breach.

Myth #2: Compliance can be outsourced to an external provider

This, he says, is perhaps the most dangerous myth of all, and could put businesses, and their data, at risk. No one vendor or solution can ensure full POPIA compliance, and while a vendor can help organisations become compliant to a certain extent, there are multiple moving parts that organisations need to attend to if they are to be fully compliant.

Similarly, it is not enough to take out cyber insurance as a mitigating force, since it provides little to no security against intentional negligence or illegal activities. If the right measures are not in place, it's unlikely the insurer will pay out in the event of a cyber attack.

Myth #3: Unlike GDPR, with POPIA, it is easier to pay the fine than become compliant

While it is true that GDPR's penalties are more severe, with fines to date of more than R850million being imposed, while POPIA's maximum penalty is R10million, organisations that fall foul of the act can suffer immense damage to their reputations, which can be exponentially more damaging in the long term.

Myth #4: Any data breach puts companies at risk of non-compliance and penalties

According to Pinnock, under Chapter 3, Section 19 of POPIA, organisations must take appropriate measures to prevent '(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information’.

The key here, he says, is to take 'all reasonable steps' to protect personal data.

 “Organisations can still be considered compliant even if they fall victim to a data breach, provided they can prove that they took every reasonable step to prevent such a breach.”

See also