Information officers (IOs) and IT managers are urged to comply with the provisions of the Protection of Personal Information Act (POPIA), which was signed into law in 2013.

This is word from Cornelis Molenaar, IT governance advisor and implementer at AVeS Cyber Security, who adds: “It is important that IOs and others fully comprehend their responsibilities under the legislation,” says Molenaar, who reveals that a snapshot survey of about a hundred IOs indicated a significant lack of awareness.

Such an alarm bell comes in the wake of the Department of Justice and Constitutional Development receiving a hefty R5-million fine by the Information Regulator for failing to ramp up its cyber security following a 2021 ransomware attack involving personal information records. The fine was levied after the department failed to respond to the notice within the 31 days provided by the Regulator to implement the recommended corrective actions.

“It definitely has implications for all IOs and IT managers. There is a misconception that POPIA is just a tick box exercise. Unfortunately, this is a huge misconception because proper compliance requires best practice measures such as regular verification of your information security controls. For example, a minimum requirement would be a yearly assessment to ascertain whether controls that are in place are actually effective or not and whether it can be improved upon,” says Molenaar.

Constant verification and updating are critical as new threats evolve and new technologies are developed. “There is a constant need to reconsider the risks identified and carry out a proper review. Compliance is a journey, not a checklist.” Molenaar says the Information Regulator’s latest action sets the tone for future notices and even fines. “It is clear the regulator has teeth and is willing to use its powers to enforce compliance to protect personal information,” he warns.

Any company concerned about their POPIA compliance status is urged to contact a solutions provider like AVeS Cyber Security to conduct a cyber security posture assessment. It will look at the procedures in place in order for the IO to deal with any requests from the Information Regulator, and the timeframe for such a response.

“Our framework has got all of the required processes built into it already to give our clients the assurance that their cyber security posture is fully compliant,” says Molenaar. It implies a certain level of cyber security alertness and readiness to be able to deal proactively with any incidents. But what about those companies that do not as yet have any measures in place?

“The cyber security posture assessment is the first step to check that you have everything in place and then compare yourself as well with the POPIA compliance assessment. Once you know your gaps, you know what priorities to resolve. We offer a host of remediation services that can be customised. We can baseline any steps taken and then improve upon them. Otherwise, if no steps have been taken, we can assist them on their journey from scratch,” says Molenaar.

“The most important thing to remember is that continuously monitoring your cyber security environment is a mandatory security measure and a legislative obligation.” This is clarified in POPIA Section 19 ‘Security measures on integrity and confidentiality of personal information’, paragraphs (1) and (2). Any private company or public body that needs to comply with POPIA must implement controls and continuously monitor for risks and threats to both personal and confidential data in general.

“We recommend a comprehensive, robust information security governance and technology strategy that includes raising awareness and providing proper training,” highlights Molenaar. Failure to do so can result in a fine of up to R10-million.