The Protection of Personal Information Act (POPIA) has come into full effect since 1 July 2021. Following the ongoing debate amongst industry leaders about being POPIA compliant, businesses should take stringent cybersecurity measures when becoming compliant.
According to Rian Schoeman, head of legal and chief privacy officer at LAWtrust, POPIA facilitates an atmosphere of compliance to ensure that businesses protect their consumers’ personal information.
Most importantly, POPIA aims to protect the personal information of both consumers and employees by making sure businesses conduct the responsible collection, sharing and storage of information by holding them accountable should that information be breached.
A recent global survey by Mimecast – an IT company specialising in cloud cybersecurity services for email, data, and web – revealed that 79% of organisations experienced disruptions, financial loss or other setbacks due to a lack of cyber preparedness in 2020, thus leaving some organisations with security vulnerabilities that could significantly impact their day-to-day operations.
“The newly implemented POPIA sections indicate there will now be much closer scrutiny on companies when it comes to the protection of personal information. This means that businesses should implement a robust cybersecurity program that focuses on securing the infrastructure, network, endpoint and the data through its lifecycle,” adds Schoeman.
Sharing Schoeman’s comment, Brandon Naicker, a cybersecurity executive at LAWtrust says “strong privacy requires protecting a user’s identity from unauthorised access and use, whereas strong security requires binding a user’s identity to their behaviour to allow for authentication, authorisation, non-repudiation and identity management.
Important cybersecurity requirements and measures under POPIA include:
* Identify all reasonably foreseeable internal and external risks to personal information in the company’s possession or under its control;
* Establish and maintain appropriate safeguards against the risks identified;
* Regularly verify that the safeguards are effectively implemented;
* Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards;
* Focus on strong authentication, using multifactor, biometric, and out of band controls, such as One Time Pin’s (OTP);
* Implement a strong encryption policy that uses a combination of digital certificates to provide a trusted identity for people, devices and things;
* Use digital signatures to provide non-repudiation for secure transactions;
* Implement cryptography through the use of public key infrastructure (PKI), to ensure privacy and confidentiality.
“To comply and avoid a data breach, businesses need to assess where personal information is being used, identify cybersecurity weaknesses and threats that might compromise the data’s integrity and put appropriate measures in place to mitigate any risks identified,” concludes Schoeman.