Data breaches are expensive and cost South African businesses millions each year. In addition, the reputational damage caused by breaches can be significant, since customers who are at risk of identity theft and credit card fraud question whether companies can protect their valuable information.

With the implementation of the Personal Protection of Information Act (POPIA) in July 2021 organisations are applying robust measures to keep customer information secure. POPIA outlines principles that should be adhered to when collecting, storing and processing personal information to encourage responsibility, security and consent:

• Accountability – The Information Officer will be responsible for ensuring that the information protection principles within POPIA and the controls that are in place to enforce them are complied with.

• Processing limitations – Organisations must ensure that information is processed lawfully, only information required is collected, consent obtained and the collection of personal information is directly from the data subject.

• Purpose specification – Personal information must be collected for a specific purpose and the data subject from whom the personal information is collected must be made aware of the purpose for which the information was collected.

• Information quality – The responsible party must take reasonable steps to ensure that the personal information that has been collected is complete, accurate and up to date.

• Openness – The responsible party must be open about the collection of personal information by notifying the Regulator. The responsible party must take reasonably practicable steps to ensure that the data subject has been made aware that his or her personal information is going to be collected.

• Security safeguards – The responsible party must ensure that the integrity of the personal information in its control is secured through technical and organisational measures.

• Data subject participation – Data subjects have the right to request that a responsible party confirms whether it holds personal information about the data subject.

To ensure that your company is compliant with POPIA, it is recommended that the following be done:

• Create awareness - Ensure your employees are aware of the Act and the regulations set out which they need to adhere to.

• Data collection assessment - Assess the manner in which your clients and employees’ data is collected, stored, processed, and ultimately disposed of. Complete an inventory of the personal information under your control.

• Policies review - Create and implement policies and procedures to ensure the correct processing of personal information.

• Gap audit - Policies and procedures should be assessed by a specialist to ensure it aligns with the requirements of the POPIA.

• Implementation and training - Adequate communication and training should be provided to all within the company with regards to all policies and procedures. Where necessary, make these policies available to stakeholders and the public.

Aneesa Khan | Finance Manager