The deadline for compliance with the Protection of Personal Information Act (“POPIA”) is of 30 June 2021, which is drawing ever closer. Although this may seem far away, it is never too soon to start planning your implementation of measures necessary to ensure your compliance and to avoid hefty penalties from the regulator.
One big aspect of POPIA compliance is that of information security and how you manage data breaches. Note that POPIA requires a positive action on your part in the event of a data breach to notify the regulator and all data subjects involved. From an information security perspective it is essential that you have operational processes in place to manage the risk of a data breach occurring and minimize the impact of the risk should it emerge.
It is important to have several inter linking information security policies in place to manage the risk of data being compromised within your organization. These policies need to be implemented within the organization, reviewed at least annually and all staff should be aware of the contents of all policies and agree to be bound by the provisions thereof.
Often technical standards are mentioned when looking at any information security program within an organization such as ISO27001. POPIA doesn’t mandate certification with ISO27001 but it is the industry best practice guideline. Certification can be expensive and many organisations rather choose to undertake to be compliant with the standard rather than undergoing a full certification process. At the core, ISO27001 requires that an organization adopts a risk-based approach to data security with the goal of continuous improvement.
Getting the right information security policies in place within your organization is essential. Remember, due to the notification requirements of a data breach, your risk is not just of a fine by the Regulator, but also reputational damage and loss of trust in your organization.
Let us know if we can help you implement a set of appropriate information security policies.