Due to a rising number of incidents where personal information is stolen or taken from a system without authorisation most organisations are thoroughly establishing and implementing new strategies to prevent and protect data from exposure or possible leakage. There are numerous standards, rules, and regulations, legislations as well as codes of conduct that serve as guidelines for data protection and compliance with POPIA.
What is the purpose of POPIA?
The Constitution of the Republic of South Africa states that “everyone has the right to privacy”, this is a personal right that protects a person’s image, name, and opinions. In 2013 the South African Government promulgated the Protection of Personal Information Act: No. 4, an Act that serves as a guideline and lawful means of processing personal information. The Act is utilised as a tool to promote data protection and privacy in public and private entities. It also ensures that responsible parties secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable, technical, and organisational measures to preclude loss, damage, or unauthorised destruction of personal information.
What is the purpose of ISO 27035-1:2016?
ISO is a non-governmental organisation that creates standards to ensure the quality, safety, and efficiency of products, services, and systems globally. This organisation has developed numerous standards including ISO 27035-1: 2016 which focuses on information security incident management principles. ISO states that “the standard covers the operational aspects in ICT security operations in processes and technology perspectives. It then further focuses on information security incident response in ICT security operations”.
Both these compliance mechanisms ensure security safeguards and implementation of measures on integrity and confidentiality of personal information during processing.
Why does the organisation in SA need to align to these standards to assist in POPIA?
Processing personal information does not only mean capturing data, but processing also includes retaining, deleting, sending, saving, collecting, and selling personal information. Security breaches are possible during any method of processing, the POPI Act, therefore, states that where there are reasonable grounds to believe that the personal information of a person has been acquired or accessed by anybody without authorisation, the responsible party must notify the Information Regulator as well as the person whose personal information has been compromised.
According to ISO literature, an information security event can be defined as an “identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls, or a previously unknown situation that may be security relevant” (ISO,2011). The POPI Act, therefore, promotes or offers the data subject authority and sufficient time to take any practicable security measure in preventing damages that may be the result of the security incident. Thus, organisations in South Africa should align with this standard because it offers a structured approach to incident management, including planning and preparing for incident response, what to do when an incident strikes, and how to extract lessons learned afterward.
What are the methodology and steps to implement in the case of an event?
Concerning the Protection of Personal Information Act, the notification process must be actioned as soon as reasonably possible after the discovery of the compromise. This must also consider the needs of law enforcement and action any measures to determine the scope of the data breach. The goal must be to restore the integrity of the information system in question. The person whose information has been compromised must be communicated within one of the following ways:
- Mailed to the data subject’s last known physical or postal address
- Sent by e-mail to the data subject’s last known e-mail address
- Placed in a prominent position on the website of the responsible party
- Published in the news media; or
- May be directed by the Regulator.
West Brown (2003) mentioned in his writing that ISO 27035-1: 2016 follows the Incident handling life cycle process mentioned below, as comprehensive guidelines for establishing and operating an incident:
- Plan and prepare – establishment of an incident response team.
- Detect and report – detection.
- Assessment and decision – analysis.
- Responses – notification/ communication.
- Learn – identify lessons learned.
What are the benefits?
01 July 2021 was proclaimed as the enforcement date for all organisations or individuals who process personal information in South Africa to comply and implement the POPI act. Failure to comply would result in administrative fines, incarceration, reputational damage, compensation funds, and even a ban from processing personal information. Companies who comply with this Act and conform to ISO27035-1: 2016 will be able to protect personal information and avoid any future damages and loss of client’s trust.
Complying with the Protection of Personal Information Act and aligning it with ISO 27035-1: 2016 is beneficial to companies globally. Organisations tend to gain more trust and confidence from clients in terms of data protection and handling of security breach incidents. Implementing the compliance frameworks and systems conveys a culture of pro-activeness and transparency in an organisation.
How can WWISE assist your organisation in POPIA and ISO implementation?
WWISE can assist and ensure compliance in your organisation by following a simple successful detailed strategic plan:
- Assess and Identify
- Develop a compliance management program
- Monitoring and training
For more information on POPIA & ISO standards implementation in your business, contact WWISE on 08610 99473 or visit https://www.wwise.co.za