South African businesses: POPI is coming to get you!

In South Africa, the Protection of Personal Information Act (POPI) was signed into law in November 2013 and companies will soon need to be fully compliant or face the significant consequences of ineffective data security management.

If the enforcements imposed by the UK Data Protection Act are anything to go by, then South African businesses are in for a long run of expensive penalties and embarrassing, high-profile data breaches. Many leading South African organisations have already set a poor precedent, as can be seen from examples made public recently.

Last year, the hacktivist group Anonymous hacked the South African Police Service’s website and leaked the sensitive and personal information of 16 000 individuals. This could have been a serious contravention of POPI if the law had already been enacted.

IT Web reported that the hacking of the SA Police Service’s website had “put thousands of lives in jeopardy, spells gross negligence and raises questions around the police’s IT systems and security”.

In November last year, the City of Joburg’s online services system also came under fire because of a serious security flaw that allowed municipal invoices to be viewed by anyone with an Internet connection. The publicly available invoices contained private information including names, addresses, account numbers, PIN codes, and even financial details. This type of negligence and poor data security management not only contravenes the individual right to privacy, but puts individuals at risk of identity theft and fraud.

In the United Kingdom, where the Data Protection Act (DPA) has been in force for some time, it has traditionally been the public sector at the receiving end of large monetary penalties due to DPA contraventions. Leading private organisations like Sony and the Bank of Scotland, however, have not escaped paying big fines.

Indeed, the public sector isn’t the only culprit. In May of this year, popular financial services and payroll software Sage Pastel warned its customers that they were taking action to address a security flaw in their systems that left the “extremely sensitive financial data” of 200 000 users vulnerable to third parties.  A statement released by Pastel Secured said that “Within minutes after using client data such as that left in the public domain by Sage Pastel we had gained full access to the entire database and all financial information.”

Once organisations start to feel the full wrath of POPI, they will realise that data security is at the core of data protection.  In the UK, poor data security accounts for more than 80% of known data breaches.  Data security can be described as the technical and organisational measures taken against unauthorised or unlawful processing of personal data, and against accidental loss or damage to personal data.

So, how do you apply adequate data or information security?

The information security standard ISO27001 has been embraced by companies worldwide as a solution for addressing all three elements of an organisation’s defences: technology, processes and people. ISO27001 adoption is growing 13% a year, and in South Africa adoption has grown 440% between 2006 and 2012 (when the last growth rates were released by ISO).

The ISO27001 implementation approach follows a proven framework for a robust information security management system (ISMS), which enables companies to implement measures that will improve their security against a broad range of risks. With cyber security becoming increasingly important for the future sustainability of any business, an ISO27001 certification is now being seen as a competitive advantage for securing contracts with governments and large businesses in many leading economies.

To find out more about how ISO27001 can help protect your data, visit our South African site for further information about ISO27001.

Our four structured ISO27001 implementation solutions enable any organisation to implement ISO27001 at a speed and budget appropriate to their individual needs and preferred project approach.