As data breaches continue to plague organisations worldwide, South Africa is taking extra measures to protect its citizens by rolling out new legislation. The country’s Protection of Personal Information (POPI) Act imposes requirements on holders of personal data to guard against unauthorised access and, in the event of a breach, mandates that the organisation notify the Regulator and the impacted data subjects.
Continuing the trend in many regions toward introducing new data protection legislation, the POPI Act was signed into law in 2013 by South African President Jacob Zuma, "although it is not yet in effect." The original way makes it sound like the POPI act itn't doing its job to help regulate data protection. The revised way helps with the clarification to readers that the act is in, but hasn't been enforced by authorities, yet. South Africa’s Information Regulator is expected to put the Act into force in the second half of 2018.
It behooves companies, government agencies, nonprofits and other entities to understand what new requirements POPI imposes on them. Notably, the law is not limited to organisations based in South Africa: if you have information on anyone who’s a South African citizen in any of your databases, POPI applies to you. In other words, keep reading.
More data, more risk
The drivers for enhanced data security include the proliferation of new technology platforms to create, transmit, analyze and otherwise manage data. Technology trends such as cloud, mobile, social and collaboration are increasing demand for data management and security capabilities. Consumers are sharing more personal and sensitive information about them on computer networks, creating more situations where data is at risk.
Further, as governments continue to recognize the importance of data security, they enact regulations that may duplicate measures adopted by other government entities. So, an organisation that is subject to the POPI Act may also be subject to the EU’s General Data Protection Regulation (GDPR).
As data security mandates become stronger, organisations must be more proactive and responsible for the protection of the data that they handle and how they transfer that data to a third party. Even among entities that believe they already have strong security in place, they need to pay much closer attention to their processes and the security technologies they deploy.
Addressing key aspects of POPI
One particularly important element of the Act, Condition 7, details two criteria for securing personal information. First, Item 19 states that an organization must secure the integrity and confidentiality of personal information against loss, damage, unauthorised destruction or unlawful access. Item 19 also requires organisations to identify the potential risks to personal information and to establish safeguards against such risks. Further, entities are required to regularly monitor, audit, update and otherwise enhance their security as the threat environment changes over time.
Another important element of POPI, Item 22, specifies what an organisation must do in the event of an actual breach. Specifically, the responsible party must notify the regulator and the data subject(s) impacted by the breach “as soon as reasonably possible after the discovery of the compromise.”
In short, Item 19 details the security organisation must have in place under POPI, while Item 22 details what the organisation’s response must be if a breach happens anyway.
While POPI requires organisations to secure the data they hold, encryption is intended to make that data useless to cybercriminals even if they manage to steal it.
According to the Thales 2017 Global Encryption Trends Study, 41 percent of those organizations surveyed say they have encryption in place on data across their enterprise. Notably, that encryption is done whether the data remains on their network or -- as is happening more frequently these days – is moved to the cloud.
While that 41 percent encryption adoption rate is notable, it also means 59 percent of organisations have not yet embraced encryption as part of their data security strategy, potentially exposing them to non-compliance with POPI.
But as more data is created and sent across networks, as enterprises capture and process more personal data, and as more data security laws such as POPI are enacted, organisations need a data security and compliance strategy that is up to the task.
For more information about the encryption capabilities Thales offers, please visit our dedicated landing page.