In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.
Why is it so important for organisations to keep personal information safe?
Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust. The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organisations, which will in turn increase customer confidence in the organisations. The Act will apply to all organisations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.
The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organisations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.
PwC’s “journey of implementation” report found that the majority of organisations in South Africa believe it will take several years to achieve compliance with POPI.
One way for South African organisations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organisation’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.
IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security, and recommends that companies look at the useful information about ISO27001 available on the company’s website.