ADVERTORIAL BY BRIAN PINNOCK, CYBERSECURITY EXPERT AT MIMECAST
Three common POPIA myths -
thoroughly debunked S
outh African organisations in the public and private sectors now have to ensure they are fully compliant to the provisions of the Protection of Personal Information Act (POPIA). This leaves every organisation that collects, processes, shares, or stores the personal data of South African citizens, organisations or legal entities at risk of being in contravention of POPIA’s provisions, if they haven’t implemented reasonable organisational and technical measures to protect personal information. POPIA establishes eight minimum requirements for the lawful processing of personal data, but the provision most fraught with risk is arguably security safeguarding. Here, cybersecurity professionals play a vital role in protecting the organisation not only from cyberattacks, but also the subsequent regulatory risks. Since many public sector organisations handle large volumes of citizen data, it’s important that they understand the requirements of POPIA. And as they work to become compliant, it’s worth pausing to ensure they are not caught out by these three common POPIArelated myths:
“Breaches only apply when data leaves the organisation” The traditional view of a data breach is one where data is ‘stolen’ from an organisation’s systems. However, data does not need to leave the organisation for it to be considered a breach. POPIA applies to any unauthorised access to personal information. The global rise in ransomware attacks - such as the recent headline-grabbing attack on a US oil pipeline - adds more risk for organisations. Data that is encrypted in an attack constitutes a data breach. Mimecast’s State of Email Security Report 2021 found that half (47%) of all South African organisations suffered a ransomware attack in the past year. “I can outsource my compliance“ Many organisations believe they can simply outsource their responsibility of compliance to an external service provider, but this could put themselves - and their data - at immense risk. No one vendor or solution can ensure full POPIA compliance. A vendor - for example Mimecast - can certainly help organisations become compliant to some provisions.
24 | Public Sector Leaders | June 2021
But, there are multiple other moving parts that organisations need to attend to if they are to be fully compliant. “Any data breach puts me at risk of penalties” Under Chapter 3, Section 19 of POPIA, organisations must take appropriate measures to prevent “(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.” The key here is to take ‘all reasonable steps’ to protect personal data. Organisations can still be considered compliant even if they fall victim to a data breach, provided they can prove that they took every reasonable step to prevent such a breach. The alternative - suffering legal, financial and reputation damage - is simply too damaging to the organisation to even consider. n
Contact: Address: Mimecast South Africa Sandton Gate , 4th floor 27 Minerva Avenue Glenadrienne, Sandton 2196 T: Local: 0861 114 063 T: Int: +27 (0) 11 722 3700 Email: meabdr@mimecast.com
