Best practices for POPIA compliance
Complexity, budget and time are among the challenges organisations wanting to achieve compliance with the Protection of Personal Information Act (POPIA) face, but they have to better protect sensitive information or face serious consequences.
This is according to Dave Matthews, technical solutions manager at archTIS, who was speaking during a webinar hosted by archTIS on Best Practicesto Protect Personal Data. Matthews said: “Protecting sensitive data, which used to be an IT problem, has now become a business problem.”
POPIA, like GDPR, CCPA and other global legislation, protects Personally Identifiable Information (PII), with conditions including accountability, processing limitations and specifications, and limitations on furtherprocessing. It also specifies information quality measures, openness and security safeguards. The penalties that can be leveraged for non-compliance include administrative fines of up to R10 million, payable within 30 days, and up to 10 years’ imprisonment; while consequences can also include compensation to data subjects, reputational damages and business interruption.
Protecting sensitive data, which used to be an IT problem, has now become a business problem.Dave Matthews, archTIS.
Matthews said challenges in the way of compliance include exponential data growth, hybrid data distribution, a culture of data hoarding; the complexity of achieving compliance; the need to control security spend; and a lack of time – particularly where IT teams are understaffed.
A poll of webinar participants found that 72% felt complexity was the biggest roadblock in the way of POPIA compliance, and only 9% said they were already compliant.
“Organisations are just saying 'we now need to protect everything’, but this approach could mean we’re encrypting Terabytes of lunch time e-mails and Christmas party photos, and monitoring users’ daily activities unnecessarily,” Matthews said.
While all data did not need stringent controls, sensitive IP and PII had to be properly protected and managed, he said.
He cited breaches such as the Experian leak of the PII of 24 million South Africans due to a fraudster posing as a client; and a London law firm in which an IT administrator misused admin privileges to access confidential salary data. Tools such as WhatsApp and other channels which organisations cannot control could put information at risk, he cautioned.
“As we have seen with GDPR, we will see penalties being imposed for a failure to comply with POPIA in future,” he said.
Matthews said the seven best practices to protect PII were:
1. Locate and identify both structured and unstructured data across all on-premise, cloud and hybrid infrastructures and shadow IT;
2. Discover sensitive information such as PII, financial and health information and classify it as such;
3. Restrict access by implementing appropriate rules or data handling policies, and train staff to comply.
4. Limit activities, preventing duplication of sensitive data, and protecting data from being shared in email, messaging and printing;
5. Apply information barriers covering geographical restrictions and subsidiaries;
6. Adapt security controls, implementing attribute-based access controls, or applying restrictions to unauthorised devices, geographical areas and travel.
7. Monitor activity, tracking access to regulated personal data and performing regular reviews.
archTIS solutions apply and enforce dynamic, policy-driven access controls that leverage both user and data attributes to ensure users and partners access, share and collaborate on sensitive, classified and top secret information securely, he noted.