POPIA compliance: Seven device, data security best practices to know

Companies must begin this transition sooner rather than later, and should expect POPIA compliance to meaningfully transform their business practices.
Amit Parbhucharan
By Amit Parbhucharan
Johannesburg, 17 Jul 2020

As of 1 July 2020, major data handling and security requirements of the Protection of Personal Information Act (POPIA) are now in effect. The law allows a year-long transitional period, putting businesses that handle personal information officially on the clock to fully implement POPIA-compliant data practices by 1 July 2021.

But South African organisations should begin this transition sooner rather than later, and they should expect POPIA compliance to meaningfully transform their business practices.

POPIA requires businesses to meet particular conditions when processing sensitive personal data. This includes specific safeguards designed to defend that data from breaches and unauthorised user access. If a data breach occurs, POPIA requires businesses to notify both the data subject (person or organisation whose data was breached) and the POPIA regulator.

Penalties for non-compliance with POPIA can include up to 10 years imprisonment and fines up to R10 million, and can cause reputational harm that may be even more damaging to a business than the fine itself. However, under POPIA, no notifications are necessary in the event of a breach if the identity of the data subject is rendered impossible to establish.

At the same time, the rapid shift to work-from-home policies made necessary by the COVID-19 pandemic adds another layer of challenges to achieving POPIA compliance – especially from a device security perspective.

Allowing remote employees to use laptops, smartphones, tablets and USB devices containing (or able to access) customer data provides a boon to productivity, but it also requires especially strict safeguards. Businesses need to implement strategies that make it simple to deploy effective, POPIA-compliant device security and access controls. Demonstrable procedures are also critical to showing POPIA compliance to regulators should the need arise.

The rapid shift to work-from-home policies made necessary by the COVID-19 pandemic adds another layer of challenges to achieving POPIA compliance.

Here are seven layers of data protection that are essential for introducing POPIA-compliant device security practices to your business ahead of next year’s enforcement deadline:

1) Control access

Device security begins with enforcing careful access controls. This includes controls that authenticate access to a device itself, and to any sensitive systems the device is able to reach. Enforce rules that require employees to use complex passwords, and engage in employee training that teaches employees to protect their security credentials effectively. Leverage multi-factor authentication to further ensure that only the correct users and devices can achieve access. Businesses might also encourage or even require employees to place devices into locked storage at the end of the work day for safekeeping.

2) Encrypt data

Make sure that all personal data on devices and systems is protected with encryption. Because POPIA spares businesses from notifying data subjects and regulators if breached data is unreadable and the subject can’t be identified, encryption not only protects data but also protects your business from a lot of trouble in the event that an employee-used device is lost or stolen.

3) Play aggressive defence

In addition to encryption, businesses should utilise further measures that mitigate the risks of data exposure with device loss, theft, or any other unauthorised access. For example, remote access control can ensure that a device that falls into the wrong hands has all access revoked. Further, remote data quarantine or deletion goes the extra step of securing or removing all sensitive data from the device.

4) Leverage robust monitoring, auditing and reporting capabilities

Effective monitoring oversees and bolsters security measures such as encryption and strong authentication by continuously ensuring those measures are active and functional.

At the same time, the capability to verify the presence and activity of all security measures is essential to demonstrating POPIA compliance in the eyes of regulators, if and when an incident occurs. Internal auditing and reporting solutions must be in place to validate security strategies and present detailed proof of regulatory compliance – complete with historical forensic data as required under Section 19 of POPIA. Businesses that practice effective device and data security (and can prove it!) can most often avoid punishing regulatory actions.

5) Perform regular data backups

Even aside from the security benefits, implementing data backup systems that regularly and automatically back up your data to offsite locations is a best practice, providing support for both productivity and work continuity. In unfortunate cases where ransomware is able to take hold of data and systems and attackers are making demands, a safe data backup also gives you a get-out-of-jail-free card.

6) Utilise anti-virus and anti-malware solutions

Malicious software can steal data, damage systems and grant attackers access to critical internal applications. Support any data protection strategy with trusted anti-virus and anti-malware software, and ensure these solutions are present and active on every device that must be secured.

7) Maintain awareness and vigilance

Remember that ignorance is no excuse in the eyes of POPIA regulators. This makes it imperative to remain knowledgeable about all variables that represent device and data security risks to your business. This includes all security updates, policies, active scams, critical OS and application bugs, and anything else that threatens your customers’ personal data and your POPIA compliance.

Leverage employee training to instil this same awareness and caution across your business. Design policies to ensure that any requests for personal data, security credentials, or monetary transfers require signoff from multiple individuals in order to thwart deceptive spearphishing or similar attacks. Leverage tools that provide automatic device recognition and device inventory management to simplify effective device security oversight.

Businesses now have under a year to make sure their data and device security measures are up to POPIA compliance standards. If your business isn’t yet prepared for POPIA, don’t hesitate – the sooner you begin to introduce and fine-tune your security strategy and tools, the safer your business and the personal data you work with will be.