Hopefully, you are already registering for POPIA and working towards becoming compliant. The 1 July 2021 deadline is looming, and many are still unsure or unclear on what needs to happen. The very short and condensed version is you need to register an Information Officer and get all the necessary documentation in place. Unfortunately, this is not the only thing that needs to happen. POPIA dictates that you need to take all the necessary steps to protect a client’s personal information. If you have always been a security-minded person, you might already have various security best practices implemented and only need to perform some tweaks. The recommended course of action is to have an IT Administrator/Contractor on hand as you go through the ‘checklist’ of becoming POPIA compliant. This article does not serve to be a checklist; it serves only to give an indication of some of the practices that would need to be implemented to become compliant.
What is deemed as personal information? For some, this is still unclear. Something as simple as a contact number can be deemed personal information and should therefore be protected. The Protection of Personal Information Act: You are responsible for protecting the personal information of the client. How do we go about this?
First, you need to identify how this information could be breached. Start thinking about where and how this information can possibly be stolen. Simple examples are thumb drives and laptops. We accept that if these devices are stolen, the thieves merely seek the devices. But POPIA forces us to consider the possibility that the thief wanted the information on these devices. So, you now need to move towards how the data on these devices can be secured in the event they are stolen. Data needs to be encrypted; for example, password protected. If you have a server in an open office, it will need to be moved to a secure location where access can be restricted. And something as simple as the W-FI? Ask if the passphrase is often changed and if clients who connect to the WI-FI can access internal servers. Password policies, encryption, intrusion detection, firewalls, and 2-factor authentication are all good security practices that should be implemented.
POPIA forces companies to take responsibility for the information of a client and to take all necessary steps to protect that information. There is little time left, and there will be no extension on the 1 July 2021 deadline. The framework and policies to be compliant must be in place.