South Africa’s Protection of Personal Information Act gives individuals more control over how their personal information is collected, processed, and used by private and public bodies. The Act requires such bodies (AKA responsible parties) to meet several minimum requirements for the lawful processing of data – and the grace period is almost over. From 1 July 2021, SA organisations must be compliant. Are you ready? Ask your leadership team these five questions to check that key areas of accountability have been addressed…

1 | Do we have a registered Information Officer?

As a responsible party, you are required to register your Information Officer with the Information Regulator by 1 July 2021.

You can do this online via the Information Officer Registration Portal on the Information Regulator’s website, where electronic and PDF versions of the registration form are available. The portal also contains relevant documentation, including guidance notes, official notices, and policies.

Remember, your Information Officer (IO) is the person responsible for making sure your organisation adheres to POPIA. They need to encourage and ensure your organisation’s compliance with POPIA, deal with any information access requests pursuant to the legislation, and work with the Information Regulator in relation to any investigations conducted in terms of POPIA.

They also need to see to it that an organisational compliance framework is developed, implemented, monitored and maintained, and that internal awareness sessions are conducted regarding the provisions of the Act, among other duties. The IO’s responsibilities are listed in Section 55 of POPIA and in the POPIA Regulations.

2 | Do we have adequate security measures in place?

As a responsible party, you are required to secure the integrity and confidentiality of personal information in your possession or under your control.

According to Section 19 of POPIA, this includes the implementation of “appropriate, reasonable technical and organisational measures” to prevent loss of, damage to, or unauthorised destruction of personal information.

Whether you manage personal data on paper or online, POPIA calls for you to identify all reasonably foreseeable internal and external risks to the data; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks.

In addition, POPIA decrees that you must have “due regard to generally accepted information security practices and procedures” which may apply to you generally, or which may be required in terms of specific industry or professional regulations (e.g., hospitals are expected to have strict security measures in place to protect the detailed, sensitive medical records of their patients).

3 | Do we know what to do in the event of a data breach?

As a responsible party, you are required to report security compromises to the Information Regulator and the data subject(s) involved as soon as reasonably possible.

Section 22 of POPIA describes the obligations of the responsible party when there are “reasonable grounds” to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.

You should have a comprehensive incident response plan on hand to guide your actions in the event of a data breach, data leak, or cybersecurity incident. Make sure that your IO and key members of your leadership team follow a systematic process to identify the incident, respond appropriately, escalate where necessary, and communicate clearly in line with POPIA’s stipulations.

If you fail to notify data subjects in such circumstances, you could face imprisonment, fines, or both. Remember, you must notify affected parties in writing as soon as reasonably possible after the discovery of a security compromise.

4 | Do we have employee training initiatives in place?

As a responsible party, you should ensure that your employees are educated about basic information security protocols and procedures.

From your Human Resources Department, which handles sensitive staff info, to your employees themselves, who may manage personal data from customers, suppliers, and service providers, your teams have to deal with personal information on a regular basis.

Make sure everyone in your organisation is familiar with POPIA’s requirements – and that individual staff members, line managers, and department heads understand their duties and responsibilities when it comes to data processing, data management, and data security.

Educate your personnel about the collection, use, and storage of personal information under POPIA, and remember that they may need specialised training for new systems and new productivity tools deployed now, or in the future.

5 | Do we understand the risks of non-compliance?

As a responsible party, you could face hefty fines or imprisonment if you’re found to be in contravention of the law.

There are civil and criminal consequences for non-compliance with POPIA. Section 99 of the Act describes how a data subject (or the Information Regulator, at the request of a data subject) may institute civil action against a responsible party for breach of POPIA.

Offences, penalties, and administrative fines are outlined in Chapter 11 of the legislation. If you are convicted of an offence in terms of POPIA, you could be fined up to R10-million, or imprisoned for up to 10 years.

Non-compliance also poses a risk to your reputation: public trust in your organisation could be eroded overnight if you suffer a data breach, and serious brand damage could cripple your business irrevocably.

Get expert help for all your data security needs.

The BUI Cyber Security Operations Center is the first of its kind in Africa. Take a look inside to see how our security experts protect and defend critical data 365 days a year.

Or contact our team directly to learn more about next-generation security solutions to safeguard your personal information, customer files, and business resources.

June 22, 2021
admin

Five questions to ask your leadership team before the POPIA grace period ends

Our commitment to ensuring business continuity – even in the face of disruption – has been recognised by the British Standards Institution.

We’re proud to announce that we have earned ISO 22301 certification after a rigorous independent evaluation by the British Standards Institution last month. The ISO 22301 badge is recognised internationally and sets the standard for Business Continuity Management Systems.

“This certification highlights the strength of our company’s business continuity strategy,” says Gayle Roseveare, our Chief Operating Officer (COO) here at BUI. “It proves to our staff, partners and customers that we’re prepared for any eventuality – and that we’re able to serve and support the people who rely on us, no matter what. Our ISO 22301 badge represents our commitment to effective risk management, organisational resilience, and reliability – even in the face of disruption,” notes Roseveare.

What is ISO 22301?

Developed by the International Organisation for Standardisation, ISO 22301 lays out a framework to help companies like ours create, implement, and maintain a comprehensive business continuity management system (BCMS). The main aim is to ensure that companies are protected against unforeseen business challenges and equipped to respond and recover when such events do occur.

“BUI is a global company with offices in East Africa, South Africa, the United Kingdom and the United States,” says Roseveare. “On any given day, our teams are provisioning cloud infrastructure, monitoring and securing digital environments, and delivering a wide range of IT services to customers. We operate around the world and around the clock – and we have to be able to do so continuously. Whether there are power outages in South Africa or internet connectivity issues in Europe, we need to ensure we can deliver uninterrupted services to our customers. Our ISO 22301 certificate validates our planning for disruptive incidents and disasters.”

Why is ISO 22301 certification important?

“In an unpredictable business climate, it pays to be prepared,” explains Dhiren Boodhia, our Group Governance and Compliance Manager. “And that goes double for service providers like us. To earn our ISO 22301 certificate, we had to demonstrate that we have a thorough BCMS in place; that the staff in our various offices understand the BCMS and the processes required to sustain it; and that we are focused on maintaining business continuity and sustainability regardless of market uncertainties and challenges. I think the ISO 22301 badge is an important differentiator – especially when customers are looking for a steadfast technology ally that is as dedicated to legal and regulatory compliance as it is to protecting the business resources of the organisations it works with,” he says.

For customers who choose to partner with BUI, there are five key benefits, adds Boodhia.

Consistency. ISO 22301 emphasises the importance of consistency when it comes to best practices and business processes. “We’ve been assessed on our capabilities around risk assessment and impact analysis as well as our strategies for mitigating disruptions. Our teams excelled in every area – and that means our customers can expect the highest standards of service and care from everyone at BUI,” says Boodhia.
Data protection. With the cyber threat landscape evolving so quickly, data privacy and data security are critical considerations for customers. “ISO 22301 includes extensive conditions for data protection and data recovery,” notes Boodhia. “Our ISO 22301 badge, together with the ISO 27001 certification we achieved for our commitment to information security management, should give our customers even greater confidence: we handle all data respectfully and safely.
Faster recovery. “ISO 22301 requires us to have a holistic strategy in place to deal with disruptions and disasters. It also mandates a detailed recovery plan to ensure that downtime is minimised – for our company and for the business organisations we serve,” says Boodhia. “BUI customers can be assured that, in the event of an issue, our teams will follow a step-by-step framework to resolve the problem as quickly as possible.”
Greater compliance. By achieving ISO 22301 certification, BUI has met the global benchmark for business continuity management, adds Boodhia. “Many of our customers operate in highly regulated industries, like financial services and healthcare, and they must adhere to their own standards in terms of the services they provide to their clients. BUI is committed to maintaining essential functions during adverse circumstances – and that’s a big plus for customers who have strict compliance obligations.”
Peace of mind. ISO 22301 calls for certified organisations to update and improve their business continuity processes to ensure that their strategies remain current, relevant, and effective. “We’re obligated to adapt and enhance our BCMS plan as our company grows,” explains Boodhia. “It’s good news for our customers because it means we’re always prepared. Whatever happens, the BUI services and solutions that so many businesses utilise every day will be available.”

Our commitment to your success

ISO 22301 may be our newest certification, but it’s also a testament to our unwavering focus on our customers, notes our COO. “To be a dependable, reliable technology partner, you need to anticipate the challenges you’re going to face and then take the necessary steps to ensure that you can address those challenges as soon as they arise. We’re being proactive today so that we’re ready for tomorrow – and always on hand to help our customers be productive, secure, and resilient,” Roseveare concludes.

Do you have a disaster recovery plan in place?

Our experts can help you craft a comprehensive backup strategy aligned with your business structure, your IT resources, your budget, and your goals.

Contact our team to arrange a discussion today.