It’s been some time since we tackled developments in both the POPI act’s enactment as well as data security. Moreover, the issue of data quality remains prevalent. We attended the recent Cape Town leg of the ESET Security Day, which inspired a fresh look at the topics.
Data security: no small matter
Organisations face increasingly difficult challenges in keeping data safe. Malicious entities are, without a doubt, making use of every possible avenue to obtain data that is not theirs. What’s more, each available solution only covers a small portion of gaps in data security.
This is therefore a daunting arena to be a champion in. And yet it is more and more critical to find the best possible defense strategy to safeguard data. With the establishment (and recent bona fide activities) of the new Information Regulator, all data holders will need to reach compliance. Finally, clients are already scrutinising service providers in terms of how well they can protect personal information.
The response plan is the key
Veronica Schmitt, director at DFIR Labs, strongly believes that firms need to have a solid response plan. No matter how good their data security processes, it is their ability to handle intrusions that counts in a pinch.
While there are several effective methodologies available, having team members who know the routines involved is paramount. They need to respond as soon as any intrusion is detected and react accordingly to protect and preserve. What’s more, you can also designate an “offense” team to actively test the efficacy of your response team.
There is another important advantage to having a proper response plan. The better this is, the better you will be able to preserve all the information pertaining to any breaches. This helps tremendously when you (or a 3rd party) are investigating. DFIR presented a case where the breached organisation only managed to detect an intrusion many months after it occurred.
POPI makes its demands clear
The POPI act is specifically written to grant as much protection as possible to data subjects. In addition, it gives broad powers to other pieces of legislation that also handle data protection. When enacted, data holders have 12 months to achieve compliance.
This is no small feat, particularly when you consider it’s South Africa’s first foray into enacting a serious separate data protection act. In other countries, history shows that compliance was difficult for the first while after their respective legislation was passed. It took many years for all organisations to achieve this.
Drew van Vuuren, founder and director of iDatasec, informs people that there is no silver bullet for POPI compliance. Even if you decide to eventually outsource the task to a competent provider, you as the data holder remain responsible. No one can tick the relevant boxes and promise you that you are compliant.
The silver lining is that POPI permits “reasonable measures”. As long as you take acceptable steps to safeguard data and follow the directives set out by the act, you should be fine. And while no one can sign the proverbial dotted line on your behalf, there are already tools in development to help organisations measure themselves against the POPI compliance checklist.
If you haven’t done so already, it’s high time you and your organisation considered the legal, practical and reactive measures surrounding data security. The ball will always be in your court, and those whose data you hold will ultimately look to you to safeguard it correctly. Experts can offer advice and assist you in this, but the onus is on you to ensure you satisfy all the requirements. Besides, if you manage to do so early enough, you’ll be seen as an early adopter of security and data protection. That kind of reputation is highly worthwhile in any industry.
Adept would like to sincerely thank ESET South Africa and their guest speakers for inviting us to the Security Day and offering such valuable insights into the topic of data security.