Since 2013 the Protection of Personal Information Act (POPIA) has been a point of contention for many businesses. What is POPIA? Why is it important? How do I get POPIA compliant? What is personal information in terms of POPIA? What solutions are there to this challenge? Well, here are the answers.
What is POPIA?
The Protection of Personal Information (POPI) Act was passed with the intention of protecting the constitutional right to privacy. Any information that might single out individuals is now by law to be respected by businesses and other organisations alike. Personal information refers to anything that can identify an individual including email addresses, physical addresses, phone numbers and other online identifiers.
Why is POPIA important?
We are living amid the Fourth Industrial Revolution, the Digital Revolution, and with exponential technological advancements, we need to ask important questions about the safety of personal information in the online world. While it is easy to document, store and process information it might not be as easy to protect it. This may sound like a disaster waiting to happen, however, there are precautions organisations can take to protect private information such as introducing Information Security management Systems like ISO/IEC 2700:2013.
How do I get POPI Compliant?
The information regulator has been appointed as the POPIA enforcement body in South Africa and will ensure the prescribed principles of the POPI Act are enforced. These principles include the following:
- Accountability: A person or entity must be designated to process information and ensure the enforcement of the POPIA compliance requirements.
- Processing limitation: The processing of information should be limited only to the degree that is required and no more. It should also be processed in a lawful way.
- Purpose specification: The purpose of personal data collection should be justifiable.
- Further processing limitation: Further processing of information must stay within the guidelines provided for the original use of the data.
- Information quality: The information must be complete, accurate and not misleading. Again, any processing of information must be done while adhering to the original purpose of the data collection process.
- Openness: The information regulator must be aware of any processing of information that is taking place.
- Security safeguards: The integrity of all the information gathered should be preserved.
- Data subject participation: The individual can request their information free of charge and the responsible party must comply.
There are various steps that need to be taken to comply with POPIA:
- Step 1: An information officer needs to be appointed.
- Step 3: Awareness needs to be raised amongst all employees.
- Step 4: Contracts with operators need to be amended.
- Step 5: Any data breaches need to be reported to the regulator and the people whose private information has been implicated.
- Step 6: The transfer of personal information needs to be done lawfully.
This is all possible with the help of implementing an Information Security Management System aligned to the standards in the ISO/IEC 27001 family. ISO/IEC 27001 contains the requirements and tools to assist in mitigating the risks associated with private information within organisations.
What is ISO/IEC 27001?
ISO/IEC 27001 is a family of standards developed to provide a framework upon which an Information Security Management System can be successfully implemented. It focuses on protecting the confidentiality, integrity, and availability of the information in a company by applying a risk management process. This gives assurance to all parties that risks are competently managed while helping any business comply with the POPI Act. The main philosophy of ISO/IEC 27001 is based on managing risks by finding out where the risks are, and then systematically treating them. Applying a security management system gives confidence to all interested parties that risks are adequately managed.
Why use ISO/IEC 27001?
Simply, ISO/IEC 27001 helps businesses comply with POPIA. It contains solutions to high-level policy requirements assisting any business to protect all information within it by setting the terms for the treatment of said information. ISO/IEC 27001 is beneficial because:
- It helps businesses comply with the government regulations of the POPIA.
- The confidentiality of information within a business stays secure.
- It offers a framework for legal, regulatory, and contractual requirements regarding information security.
- It increases shareholder confidence.
- It ensures the exchange of information within the business has the structure to take place securely.
- It becomes easier to comply with other necessary regulations.
- It provides the opportunity within a business to gain a competitive advantage.
- Customers feel safe and satisfied and feel more confident returning.
- There is consistency in internal processes.
- It manages and minimises the risk of exposure.
- It builds a culture of accountability and security.
- It protects the company and all its shareholders.
So now what?
When it comes to preparing for the POPIA or Information Security, WWISE is your tailored business solution. Our Information Security Management System consultants are registered Lead Implementors and Auditors who assist organisations to understand their current conformity and compliance status to the ISO/IEC 27001 and POPIA by conducting a gap assessment. This is a small investment to ensure an understanding of the potential risks in an organisation, before they become a reality.
WWISE can assist your organisation with the implementation of the POPIA. We assist organisations by ascertaining:
- What information you may process.
- Under what circumstances you may process information.
- The duration you may process it.
- How the information must be maintained.
- How the information must be secured.
- How and when you must dispose of information.
Furthermore, we assist in closing the gaps through administrative alleviation by working with your process owners to understand the requirements and conditions for your business. This enables you to take control of the protection of data. This will assist in keeping your business compliant with POPIA, while keeping the information of all stakeholders safe. We mentor, train, and guide you while generating evidence to assure your compliance status. Our work is concluded with the validation of a third-party regulatory body who conducts an audit to safeguard the investment in documenting, implementing, and maintaining an Information Security Management System.
For more information on how we can assist your business, please contact us on 086 109 9473 or 021 525 9159. Alternatively, you can email us at firstname.lastname@example.org.