Popia and Cybersecurity
The Good, The Bad and The Ugly
Information security and data privacy are at the core of the Protection of Personal Information Act (POPIA). POPIA facilitates an atmosphere of compliance to ensure that businesses protect their consumers’ personal information. Most importantly, POPIA aims to protect the personal information of both consumers and employees by making sure businesses conduct the responsible collection, sharing and storage of information by holding them accountable should that information be breached.
The newly implemented POPIA sections indicate there will now be much closer scrutiny on companies when it comes to the protection of personal information. This means that businesses should implement a robust cybersecurity program that focuses on securing the infrastructure, network, endpoint and the data through its lifecycle.
Strong privacy requires protecting a user’s identity from unauthorised access and use, whereas strong security requires binding a user’s identity to their behaviour to allow for authentication, authorisation, non-repudiation and identity management.
Companies that prioritise the safeguarding of their proprietary and customer data will benefit from better business resilience in the face of increased cybercrime while simultaneously complying with the Act.
POPIA has forced us all to re-evaluate and improve our cybersecurity to protect ourselves from data breaches (which no-one can afford) and it has opened a door for us all to streamline our data management systems, minimise the information we collect and organise our storage. This in turn leads to a better return on investment. By purging irrelevant data and cutting databases down to customers that trust and want to engage with you, your target becomes an audience more likely to react to your efforts.
Achieving compliance is more than understanding the basics of the Act. It requires a change in behaviour wherever a business works with data. As Tanya Long (Chief Operating Officer: Argility Technology Group) rightly points out: ‘We are all in it up to our necks. My advice is to exercise an abundance of caution and commission consultants to verify you have not only done enough but have done it correctly. The latter is more likely to produce a peaceful night’s sleep without POPIA nightmares breaking through.’
We couldn’t agree more. We have recently completed the compliance process and the journey was a long and arduous one. The sheer volume of work is daunting and changing behaviour to ensure continuous compliance demands an ongoing, full time commitment by management and staff. It needs to be part of the culture of the organisation.
Compliance has become a key component in all our processes, across departments and inclusive of stakeholders, suppliers and every individual in the organisation.
Tanya goes on to say: ‘As with every business in the country, we must evaluate these responses in terms of risk ratings and compliance − the POPIA buck does not stop with your business but also applies to all your business associations. So, there will be questions that surface around responsibility and accountability for commercial implications, data on shared infrastructures and in transit via third-parties external to the entire environment, to name a few.
Third-party operators and vendors that process personal information must, in terms of POPIA, provide assurances of the necessary security and compliance measures, but we are all possibly set to encounter grey areas, such as when a customer processes data using a system built by a vendor, particularly if the agreement is a subscription model. If the data belongs to the customer, and is processed under the authority of the customer, should the developer of the system have any accountability?
Questions such as these will spark debate. In business today, there are many overlaps and ripple effects, and where one system impacts or integrates with another, the responsibility for managing and securing the data is not always clear.
Any company in the position of providing services to businesses is a data operator, but they are also a data processor within their internal structures and processes, raising a potential need to negotiate the impact of compliance and shared risk models. All organisations in this position will need to address the question of how to ensure third parties they engage with remain compliant.
Charl Ueckermann (Securitysa.com) offers a succinct and useful approach:
“A robust and resilient business should be your primary goal. Rather than focusing only on compliance, use this as an opportunity to sharpen your organisation’s data protection capabilities. Once you understand how POPIA and other information security standards, such as ISO27001, can benefit your business, it's like hitting two birds with one stone: you take appropriate and reasonable steps to fine-tune how your business works with confidential information, and compliance follows naturally”.
This is the approach we also took, and with great success. It pivots the focus sufficiently to cover all the bases.
The elements required to protect personal information are the very same elements needed for the protection of other valuable information in a business. CIOs and IT managers should address the confidentiality, integrity and availability of data, and cover both the cyber and physical security aspects of information protection. For instance, controls must be in place to stop employees from accessing or downloading information that they should not be privy to, as well as preventative measures and policies around sharing information in other ways, such as telephonically or by saving information onto a USB device and leaving it lying around.
Herewith some useful steps recommended by Rian Schoeman, Head of Legal and Chief Privacy Officer at LAWtrust:
Identify all reasonably foreseeable internal and external risks to personal information in the company’s possession or under its control;
Establish and maintain appropriate safeguards against the risks identified;
Regularly verify that the safeguards are effectively implemented;
Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards;
Focus on strong authentication, using multifactor, biometric, and out of band controls, such as One Time Pin’s (OTP);
Implement a strong encryption policy that uses a combination of digital certificates to provide a trusted identity for people, devices and things;
Use digital signatures to provide non-repudiation for secure transactions;
Implement cryptography through the use of public key infrastructure (PKI), to ensure privacy and confidentiality.
To comply and avoid a data breach, companies need to assess where personal information is being used, identify cybersecurity weaknesses and threats that might compromise the data’s integrity and put appropriate measures in place to mitigate any risks identified.
Companies are increasingly subject to vendor cybersecurity audits and failing such an audit will in all likelihood result in the loss of that business. Furthermore, the legal penalties against responsible parties include a fine or imprisonment of between R1m and R10m or one to ten years in jail as well as paying compensation to data subjects for the damage they have suffered.
Then there is the reputational damage, losing customers and employees and failing to attract new customers as serious consequences to also consider.
LIVE+ is fully compliant and offers a wide range of services including digital and real-time staff motivation programs, online campaign measurement and evaluation systems, always-on mobile solutions including rich digital communications across SMS, USSD, WhatsApp and bulk email, product sample tracking platforms, real-time key metrics and performance indicators from your data to swiftly guide business decisions, digital audience engagement platforms providing gamified engagement and social amplification.