Companies would do well to ask themselves three questions about device security ahead of POPI compliance.
The Protection of Personal Information Act (POPI) is coming ever closer to the beginning of its commencement, as the appointment of POPI's official information regulator draws near.
Any business that handles personal data in any way should begin preparing.
The government remains committed to POPI's full implementation, staying true to its statement in the Estimates of National Expenditure that "the Protection of Personal Information Act (2013) aims to promote the protection of personal information processed by public and private institutions. The Information Regulator, established by the Act, will deepen individuals' constitutional right to privacy by ensuring that personal information held by institutions is safeguarded and only used for its intended purpose."
This signals that POPI is coming, and it should have SMEs and companies of all sizes asking questions about how they'll ensure their compliance. POPI requires adequate safeguards for all personal data collected, processed or retained by an organisation. The Act also mandates the data subject (the person whose information it is) must be informed in the event of a data breach. The effect of POPI is that companies in all industries will need to adapt their practices to comply.
Here are three critical questions pertaining to device security for a company's next management meeting, which will grant insight into its preparedness, and begin the internal conversations that need to take place ahead of POPI enforcement:
1) What is the company's current process for managing lost or stolen mobile devices?
In today's workforce, it's common for employees to carry their work on mobile devices - laptops, phones, tablets or USB drives that may belong to the company, or to the employees themselves, under a bring-your-own-device policy.
These devices may offer essential gains in productivity, especially when utilised to optimise operations in the field - but they also represent a data security front that is critical to protect. Of course, the fact that these devices are being carried around therefore increases the possibilities that they may be lost or stolen. The additional fact that they may belong to employees but contain work data - including the personal information of customers - only puts them further out of a company's hands. However, these remotely located devices are not necessarily out of the company's control. Unauthorised access can be guarded against through data security tools that enable encryption enforcement, remote data wiping, data quarantines, killing of cached credentials, and revocation of network access from the compromised device.
Companies where personal data is accessed on mobile devices should have tools like these in place, and should develop defined processes for how those tools are put into action when devices are lost or stolen.
2) Does the company currently have a way to encrypt data on PCs (Windows/Mac-OSX), phones (iOS/Android/Windows), tablets (iOS/Android/MS-Surface) and USB storage, and can the company adequately prove it to any customer, supplier or auditor that asks?
Encryption is the main line of defence for sensitive data - it's essential that all personal data held by a company is both stored and transmitted in an encrypted state. POPI requires this level of data security, and the ability to demonstrate and report on these measures is also an important piece of POPI compliance.
It's necessary to have tools that monitor and grant visibility into a company's inventory of devices, and the encryption status and data access controls for each. In the event that auditors and regulators need evidence of a company's secure data practices, these tools can deliver that proof. They can also save the day. For example, if a laptop full of private personal information is stolen, but the data is encrypted and access to it can be quickly removed, there is no data breach.
Beyond the need for POPI compliance, showing these capabilities to customers and suppliers can win trust and be a valuable competitive differentiator in forging business relationships.
3) Should device security and POPI compliance be current concerns for the company? And what is the company's timescales to address this security risk and compliance need?
While the commencement date for POPI has yet to be set, experts are anticipating it as imminent. From that date, it is expected companies will have a one-year grace period to enact solutions that make them compliant. Device security and POPI compliance will certainly be a concern for most companies - any business that handles personal data in any way should begin preparing. Companies should consider the day-to-day activities that will need carrying out.
In the meantime, before POPI's requirements are enforced by breach notifications and penalties, implementing capable data security measures offers desirable competitive and reputational benefits. Companies that will have to make changes to comply with POPI might as well do so now, and begin realising those rewards. The tools needed to gain secure data controls are an investment, but a necessary and affordable one - and one that is worth it. And for those trading with the EU, the General Data Protection Regulation enacted recently will require these practices as well.