6 minute read
The recent data breach at Microsoft
TIPS FOR TECHNIQUES
PoPI IN A NUTSHELL
Advertisement
The PoPI Act focuses on collecting, storage, utilising, and disposal of an individual’s personal information. It provides clear guidance to companies on exactly how these matters should be handled. It is governed by eight principles:
Lawful collection: Information may only be obtained in a lawful, consented manner from an individual; A clear motivation for data collection: There must be a specific reason that each and every piece of information is required and collected. No more “just because” reasoning will be allowed; Clear scope for information required: What does the company want to do with your information? For example, if they want to collect driver’s license information to see how many Code 08 drivers there are, they may only do that. They cannot later decide to check other details. Quality control: The person collecting the information has a responsibility to ensure reasonable quality control. Information collected should be appropriate and relevant; Ongoing transparency: When data is processed, the affected party, as well as the Information Regulator, has to be kept informed; Active involvement: When an entity collects information about a specific person, the person in question must have active involvement in the process. The person whose data is being collected must have the opportunity to amend and update information as and when required; and Accountability: Accountability rests on the shoulders of the person responsible for processing the information. Every reasonable step aimed at data protection and security should be followed.
The required protocol following a data breach
When a data breach is detected, companies are obliged to provide the following information to the Information Regulator: ● What type of breach occurred; ● How exactly did it happen; ● Who are the affected parties; ● What steps will be taken to inform the identified parties of the breach; ● What mitigating steps are in place; and ● What risk management factors are in place to ensure that future data breaches do not happen again.
Defining data privacy
Data privacy is concerned with the collection, use, storage and eventual disposal of personal information. With the rise of data privacy laws, companies are required to clearly define what the purpose is for them to want to have access to personal information
What can then be defined as data?
Most of us have had to “accept cookies” when browsing through a website. Very few, if any of us ever read the privacy policies connected to these. The purpose of all this is quite simple. The cookies work to collect valuable information about what is browsed on the site, data collected, and authenticate a user before sensitive data is released.
The rollout of data privacy laws
In 2018, Europe took its first step towards ensuring the protection of personal data and privacy of EU citizens with the General Data Protection Regulation. It sets guidelines for collecting and processing personal information from individuals, companies and organisations based in Europe and EU member states. Heavy fines and even imprisonment is on the cards for companies who fail to comply and fall victim to data breaches. Following the steps of Europe, South Africa introduced the PoPI Act or Protection of Personal Information Act. Like the GDPR, the PoPI Act governs when and how organisations collect, use, store, delete and otherwise handle personal information. To give effect to this Act, an Information Regulator had to be established, ensuring compliance to related local and international legislation. It actions steps to non-compliance and amendments to legislation, as and when required. In the past, data privacy was not an important focus area of many business types. But considering there is a 12-month grace period since it came into effect on 1 July 2020, time is running out to comply.
Photo by Dan Nelson
REFERENCES:
● CPO Magazine. 9 Security Hacks for Protecting Remote Workers. (Online). https://www.cpomagazine.com/ cyber-security/9-security-hacks-for-protecting-remoteworkers/. [Accessed 23 March 2021]. ● Hogan Lovells. South Africa Data Protection Regulations Expected to Take Effect in 2019. (Online). https://www.engage.hoganlovells.com/ knowledgeservices/news/south-africa-data-protectionregulations-expected-to-take-effect-in-2019. [Accessed 18 March 2021]. ● IAPP. After 7-year wait, South Africa’s Data Protection Act enters into force. (Online). https://iapp.org/news/a/ after-a-7-year-wait-south-africas-data-protection-actenters-into-force/#:~:text=The%20act%20aims%20 to%20promote,in%20the%20Bill%20of%20Rights.&text=It%20applies%20to%20any%20organization,for%20 personal%20or%20household%20purposes. [Accessed 18 March 2021]. ● Kaspersky. What is VPN? How it Works. Types of VPN. (Online). https://www.kaspersky.com/resource-center/ definitions/what-is-a-vpn. [Accessed 18 March 2021]. ● Michalsons. Data Privacy or Data Protection in South Africa. (Online). https://www.michalsons.com/blog/ data-privacy-in-south-africa/150. [Accessed 18 March 2021]. ● One Trust Data Guidance. South Africa – Data Protection Overview. (Online). https://www. dataguidance.com/notes/south-africa-data-protectionoverview. [Accessed 18 March 2021]. ● Privacy Policies. South Africa’s PoPI Act. (Online). https://www.privacypolicies.com/blog/PoPI-act/. [Accessed 18 March 2021]. ● Werksmans Attorneys. Data Protection and Privacy
(Online). https://www.werksmans.com/practices/dataprivacy/ [Accessed 18 March 2021]. ● Wikipedia. HTTP cookie. (Online). https:// en.m.wikipedia.org/wiki/HTTP_cookie. [Accessed 23 March 2021]. ● Wikipedia. 2021 Microsoft Exchange Server data breach. (Online). https://en.m.wikipedia.org/wiki/2021_ Microsoft_Exchange_Server_data_breach. [Accessed 23 March 2021]. ● Workpool. What is PoPI? The Protection of Personal Information (PoPI) Act Explained. (Online). https:// www.workpool.co/featured/PoPI#:`:text=In%20 simple%20terms%2C%20the%20purpose,personal%20 information%20in%20any%20way. [Accessed 18 March 2021]. n
IMPROVING DATA SECURITY IN YOUR BUSINESS
Seeing as remote working might be here to stay, how can security be improved to protect the data in your business? Without having to go into technical detail, there are some basic things that companies and individuals can do to stay compliant:
● Educate your team - it is always sensible to keep your employees informed about the latest risk factors related to the digital environment. It also helps when employees know how to handle data breaches. ● Designated systems - Depending on work functions and data sensitivity, using a designated computer system might be wise. For example, if you work in the financial sector, you would want your employees and co-workers to rather utilise office equipment instead of personal computers. ● Access control - Extra system verification is never a bad thing. The harder it is to access a working system, the better. Every security measure provides one more barrier to unauthorised attacks. ● Backups - Incorporate a proper backup system. Nothing is worse than a system crash and then realising your last backup was six months ago. Partial backups can be done regularly, and complete backups can be assigned every month. These backups also need to be stored safely and securely, either off-site or remotely. ● Be proactive - What happens when a data breach occurs? Do your employees know what will happen and what needs to be done? This can be incorporated with education and awareness. Teach everyone the importance of data security and privacy. Teach them what steps to follow when a breach happens. Your company downtime will be cut in half as your employees will not experience a “deer in the headlights’’ situation. ● Use a VPN (Virtual Private Network) - Quite a few companies have a two-tier approach to system access. They tend to have an “open system”, which is accessible more easily. The “closed system” is only accessible via a VPN, which creates a secure data connection for a user and disguises the user’s identity and encrypts the data in real-time. It also hides your IP address and helps to encrypt data for safer security and data transfer. Your sent and received data, as well as the websites visited, are hidden from any unwanted third parties trying to access it.
