Legal View

Avoid POPI penalties

The role of technology in complying with the POPI Act.

Johannesburg, 12 Oct 2017
Read time 4min 20sec
Regardt Wolmarans, ManageEngine Certified Engineer, ITR Technology.
Regardt Wolmarans, ManageEngine Certified Engineer, ITR Technology.

Data is the new oil, its value to a business is incalculable. There's increasing focus on what companies do with that data, particularly when it contains personal information about individuals that interact with your business, whether they be employees, customers or suppliers.

As of 25 March 2018, all businesses that have pretty much anything to do with individuals based in the European Union (EU) will have to comply with the General Data Protection Regulation (GDPR). Think it doesn't apply to you* If you have a Web site that markets to EU inhabitants, or a newsletter that's sent to them, then you're included.

GDPR - much like the local Protection of Personal Information (POPI) Act - regulates how organisations may collect, process, store and share personal information. While there's no commencement date for POPI, some aspects of the regulation have already been implemented and the general best guess is that it'll be implemented either towards the end of this year, but definitely before December 2018. "However, this doesn't mean that companies should delay compliance, particularly if GDPR might impact on them," says Regardt Wolmarans, ManageEngine Certified Engineer from ITR Technology. "Once POPI commences, South African organisations will have a year in which to become compliant."

There are two aspects to both pieces of legislation: how personal data may be obtained; and what the organisation is permitted to do with that personal information. So everything from collecting the data to processing, storing and disseminating it is covered. But first we need to establish what constitutes personal information.

This can be information such as the person's name, ID number, address, phone number, marital status, biometrics, banking information, health-related information, data related to their economic status; even their opinion linked to politics, culture or religion count as personally identifiable data. GDPR even goes so far as to name online identifiers such as IP addresses and cookies as personally identifiable information.

Both pieces of legislation cover the points below:

* Get consent - to collect the data and to process it.
* You must have a valid reason for collecting that type of information.
* Be transparent about how the data will be used.
* Destroy that information if the individual requests it.
* Keep the data current.
* Store that data separately from your business data.
* Know how long you may store it for.
* Know who accesses that data at all times and ensure it can't be accessed by unauthorised persons.
* Safeguard the data from breach.
* Notify individuals if their data is breached.

Paying for POPI

Businesses that don't comply with POPI, regardless of whether it's intentional or accidental, can face severe penalties. The act makes provision for fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the breach.

Under GDPR, businesses face even heftier fines if their security systems are found to be inadequate or if they fail to comply with the requirements imposed by GDPR. A fine can be as much as EUR10 million or 2% of their worldwide annual turnover, whichever is the greater amount.

However, while both pieces of legislation impose severe penalties for non-compliance, neither actually tells organisations what measures they can implement in order to be compliant.

Using technology to be compliant

Wolmarans says: "Technology has a vital role to play in keeping businesses compliant with POPI and other legislation.

"The ability to audit your systems and track processes related to personal information is key. You need to know who accessed what data when. Then there's access control to ensure that unauthorised persons can't view confidential data. All business regardless of where they are located require a security solution that will either prevent data breaches or alert the business should a breach occur. You also need to be able to conduct a forensic analysis around any breach that does occur, to identify what data has been exposed so that the relevant parties can be notified immediately."

"A decent security information and event management (SIEM) solution should be able to do all of the above, and more, if paired with a real-time file auditing and monitoring tool," says Wolmarans.

What to look out for in an SIEM solution:

* Ability to detect data breaches.
* Ensure security of the stored personal data.
* Track access to that data in terms of who accessed it when and from where.
* Track any critical changes to files and folders in which personal data is stored.
* Monitor all the activities of all devices and users on your network.
* Report anomalies to administrators instantly.
* Generate reports or audit trails around incidents.

"Implementing the right technical and organisational measures to defend or mitigate against security breaches can go a long way towards minimising the damage to data and reduces the costs that would be incurred otherwise," concludes Wolmarans.

Login with