POPIA Condition 7 – what you should know
POPIA is going to be enforceable as of 1 July 2021, and while the majority of businesses have already embarked on their data protection journey, having a set deadline for compliance puts the pressure on, says Pieter Nel, Regional Head for SADC at Sophos.
Nel makes particular reference to the POPI Act’s Condition 7 on security safeguards, which requires businesses to secure all of the personal information that they have by implementing appropriate and reasonable security measures.
He clarifies: “The POPI Act sets forth eight conditions for the lawful processing of personal information. These conditions address how organisations demonstrate accountability for the privacy of individuals in South Africa. The Act regulates how this information is collected, stored, processed and shared. It also includes security measures that responsible parties must comply with to ensure the integrity and confidentiality of personal information.”
In brief, businesses have an obligation to safeguard the personal information that they have from being destroyed unlawfully, accessed unlawfully, being lost or damaged. They need to put reasonable technical and organisational measures in place to protect this personal information. They also need to identify and prioritise new risks.
Nel highlights three major areas for POPI Act Condition 7 compliance: perimeter defence, data protection and access control to data, and discusses the types of measures that can be deployed.
- Perimeter defence
Businesses can deploy firewalls to monitor and block malicious, exploitive inbound and outbound traffic and consider solutions such as intrusion prevention systems, advanced persistent threat, anti-virus, sandboxing, Web and e-mail protection. It’s also key to implement a solution that can identify and highlight shadow IT, the use of IT-related hardware or software without the knowledge of IT or security department. Identifying such usage helps to prevent exposure of sensitive data through non-approved company services (Dropbox, etc) and can save organisations from potential risk. Deployed solutions must be able to share threat, system health and security information in real-time.
- Data protection
Endpoints require protection against data-stealing malware and ransomware. Data on mobile devices must be secured and encrypted. Data should be encrypted and secured wherever it goes, including in transit. Businesses should consider a solution that automatically detects shared storage and database resources in the public cloud, assessing security posture and configurations to reduce the risk of a data breach.
- Data access control
Businesses should consider user-aware control over applications, Web surfing and other network resources and the ability to identify users who utilise high network traffic. Compromised machines should be isolated, preventing lateral movement or data exfiltration. It’s also key to manage access privileges for user, group and cloud service roles able to access public cloud accounts and resources storing data. Identity access management (IAM) policy updates must be done on a regular basis. Protect privileged and administrator accounts with two-factor authentication.
“Most South African businesses had already implemented some of the measures suggested above to secure personal information long before POPIA or GDPR were enacted, so may just need to review their data protection policies and technologies and possibly implement some additional ones where required. Access rights and security measures also need regular review,” says Nel.