In 2018, the European Union (EU) General Data Protection Regulation (GDPR) came into effect. As the international standard for data protection laws, the GDPR has formed the basis for many data protection laws worldwide, including South Africa’s Protection of Personal Information Act 4 of 2013 (POPI).
POPI prescribes eight conditions for lawful processing of personal information, which broadly accord with the principles found in the GDPR. It also sets out the roles of various parties involved in the processing (including collecting, storage, transfer and use) of personal information. One of those parties is the ‘responsible party’. The responsible party is the business responsible for determining how and why personal information is processed.
Condition 7 deals with security safeguards and requires responsible parties to ensure that the personal information they collect is kept secure through appropriate, reasonable, organisational and technical measures to protect against data security breaches.
Condition 7 requires a responsible party to place security controls or measures on their business processes and systems. In determining which security measures are appropriate, a responsible party should consider information technology (IT) security best practices and strategies that will protect the integrity of and prevent unauthorised access to their data assets.
Based on international security best practices, the following areas are significant areas that responsible parties should focus on:
- Firewall Security: Firewalls restrict incoming and outgoing network traffic through criteria and rules configured by your business. Firewalls should be configured to restrict inbound and outbound traffic to just what is necessary for business. There should also be processes for flagging, deleting or quarantining suspicious emails.
- Wireless Network Security: Set up your WiFI with WiFI Protected Access II (WPA2) and segment guest and non-guest wireless networks with a firewall if you offer WiFI to customers.
- Password Policies: Secure passwords should have at least ten characters, including an upper and a lower-case letter, a number and a special character.
- Malware Prevention: Install antivirus or anti-malware software on all systems commonly affected by malware. Ensure that antivirus programs are updated regularly to detect known malware. One should also consider installing proactive security systems dedicated to monitoring system irregularities, such as those for intrusion detection and data loss prevention.
- Encryption: Processes should be in place for encrypting data where appropriate.
- Patching: Patching means keeping the software on systems up to date particularly for internet browsers, application software, databases and operation systems.
IT security strategies do not solely rely on hardware and software mechanisms but also include additional security measures such as:
- Training: Employees should receive regular training about POPI and security measures, especially those working on networks and systems dealing with personal information. Employee education is the best defence against phishing scams and social engineering, which are common causes of data breaches.
- Physical Security: Control physical threats by implementing a physical security policy that includes all rules and processes to preserve onsite business security. Physical security includes security doors, key entry areas, external doors that are locked from closing until opening of the building, locked or barred windows, security cameras, registration of visitors at entrances, security guards, armed response and fire protection.
- Policies: Implementing specific policies relating to the best practices described above form part of the ‘appropriate, reasonable, organisational and technical measures’ prescribed by Condition 7.
It is important to note that the consequences of failure to comply with any of the eight conditions for lawful processing of personal information, especially Condition 7, are significant. POPIA imposes various penalties for non-compliance, including imprisonment for a period not exceeding ten years, a fine not exceeding R10 million or both. Even a single data security breach can seriously impact the financial well-being of a business, and its reputation as customer and investor trust can be irreparably damaged.
Should you require policies for your business, POPI training for your employees or any legal advice regarding the above, please contact your nearest SEESA office for assistance. Alternatively, leave your contact details on our website and we will contact you.
About the Author:
Sandrisha Govender is a Legal Advisor for Labour and Consumer Protection and POPI at SEESA’s Port Elizabeth office. She obtained her LLB from Nelson Mandela University. She is also an admitted attorney of the High Court of South Africa.
References:
- The Protection of Personal Information Act 4 of 2013
- De Beer J “Digital Markets, Big Data, Data Privacy and Competition: Where Crossroads Meet” 2020 Without Prejudice 16
- Discussions on POPIA: POPIA Code of Conduct for Research 2021 117 SAJS 1 12
- Hubbard J, “SA Business Underplaying the Danger of Cybercrime?” www.fin24.com/finweek (7 March 2019)
- Mackay-Temesy “Data Protection by Design and Default Checklist” (March 2020) https://globaldatahub.taylorwessing.com/article/data-protection-by-design-and-default-checklist (accessed 2022-04-18).