Think data protection first, POPIA compliance will come
Information security and data privacy are at the core of the Protection of Personal Information Act (POPIA). Companies that prioritise the safeguarding of their proprietary and customer data will benefit from better business resilience in the face of increased cyber crime while simultaneously complying with the Act.
“A robust and resilient business should be your primary goal. Rather than focusing only on compliance, use this as an opportunity to sharpen your organisation’s data protection capabilities.
"Once you understand how POPIA and other information security standards, such as ISO27001, can benefit your business, it's like hitting two birds with one stone: you take appropriate and reasonable steps to fine-tune how your business works with confidential information, and compliance follows naturally,” says Charl Ueckermann, CEO of AVeS Cyber Security.
The elements required to protect personal information are the very same elements needed for the protection of other valuable information in a business. CIOs and IT managers should address the confidentiality, integrity and availability of data, and cover both the cyber and physical security aspects of information protection. For instance, controls must be in place to stop employees from accessing or downloading information that they should not be privy to, as well as preventative measures and policies around sharing information in other ways, such as telephonically or by saving information onto a USB device and leaving it lying around.
The first step is to identify which information needs to be protected in the organisation. “Any information that you deem as critical to your business or mentioned in POPIA should be protected. This can include information about employees and customers, product information, research data, financial information and other intellectual property,” says Ueckermann.
Starting with a facilitated POPIA assessment is a productive and cost-effective way to help a business determine how compliant they are with POPIA, which sections of the Act are applicable based on the nature of their operations, and which information should be protected. Different companies in different industries will need to take different steps. Additionally, what applies to a big corporate may not apply to a small or medium-sized business.
“A guided assessment further provides valuable insights into where there are gaps and how to prioritise addressing them. An implementation roadmap often follows a good POPIA assessment to show where to focus information protection efforts to meet POPIA's requirements timeously,” says Ueckermann.
Ueckermann concludes saying that a proactive approach to information security now will help companies to ensure that their houses are in order, and done cost-effectively, before the POPIA grace period ends in June 2021.
“If you are not already thinking about information security, there is no better time than now. Look beyond compliance and focus on protecting your business, your intellectual property and the stakeholders that are linked to it. As you take steps to take control of your information and organisational processes, you will also prepare for POPIA. The great value-add of having control of your information is that breaches are less likely to be missed and you will have the tools and systems in place to respond quickly to, and recover from, security incidents.”