Although many South African business owners are aware of the Protection of Personal Information Act (POPI), there is a worrying lack of urgency when it comes to making critical changes and improvements to data management and data security. This lack of urgency (and commitment) to enhancing data protection measures is especially prominent among SMEs, many of which consider themselves as ‘too small’ to worry about POPI (and data security legislation in general). Our advice? Sound the alarm bells! This is a hugely risky attitude to adopt, as SMEs are just as liable – and as vulnerable – to data protection laws, including POPI.
Before we explain why, and also suggest important steps for SMEs to begin taking, let’s clarify what POPI means for businesses – and its current legal status.
The POPI Act essentially promotes the protection of personal information by public and private bodies and was signed into law in 2013. It is expected to come into effect very soon, after which organisations will have two years to comply. Notably, certain sections of POPI have already commenced (under proclamation No. R. 25, 2014), but it is only a few limited sections. The majority of POPI (especially the sections that create compliance requirements) will only commence on a later date to be announced by the President.
Every business is a target for attackers
With the prevailing uncertainty around when POPI will commence in its entirety, many businesses of all sizes are simply sitting back and ignoring the pressures to implement key structural changes to their data security and data management practices. This is both irresponsible and risky – and is an approach which places owners, managers, employees, clients, suppliers and other stakeholders in a highly vulnerable position. This is not simply because POPI and other data security laws (such as the EU’s GDPR) carry stiff penalties for non-compliance…it’s primarily because every business, including SMEs, contractors and sole traders, will be targeted by cybercriminals. It is not a question of ‘if’ anymore…it is simply a question of ‘when’!
Still not convinced? Consider this: the global Cyber Exposure Index ranks South Africa sixth on the list of most-targeted countries for cyberattacks, while PwC’s 2018 Global Economic Crime Survey ranked cybercrime as the second most frequently reported type of fraud (and identified it as the most disruptive and serious economic crime expected to impact organisations in the next two years). Moreover, SMEs are just as vulnerable to hacks and data theft as their larger counterparts – and are even more vulnerable because they have fewer dedicated IT security resources available to them.
Paying attention to POPI: an intelligent approach
Now that we’ve highlighted the risks of the very dangerous online world that businesses now inhabit, let’s get back to what POPI means for you, the business owner. Firstly, it’s critical to highlight that it’s now the law to do everything that is considered “reasonable” to protect data. Secondly, it’s the right, ethically responsible thing to do to pay attention to protecting your personal information – and that of your customers.
That said, we advise that you don’t spend too much time concerned with the Act itself – rather make sure that you understand everything you can about where your data is; who has access to it; and what your mitigation and recovery plans are to keep your business operational WHEN you are hacked (or have an outbreak of malware).
Your SME is not immune
Critically, every business falls within POPI’s reach. This is essential to note, especially when you consider the wording of the Act and how it refers to directors, people and businesses doing everything that can be considered “reasonable” based on what they do, the data they keep and the industry they are in.
Let’s look at an example: a financial manager is technically a one-person business (i.e. a very small company) but he/she has clients’ data, including sensitive financial data. This means that his/her adherence to the Act is imperative, even when compared to a furniture manufacturer that possibly employs 50 people. Yet even in the latter example, the personal data of those 50 employees are also on file, so there is a high degree of responsibility and adherence to the Act required there as well.
Getting your data (house) in order: layered security
As we mentioned earlier, business owners and SMEs shouldn’t concentrate on the Act itself, but should rather ensure that they understand the concept of layered security. Much like how you protect your home and business with physical security (guards, electric fences, etc.) you must now protect the data in your business both digitally and physically – and back this up with continuous education and awareness training.
Importantly, this is a systematic approach that is made up of many layers. When properly and professionally executed, it creates a robust system of defence that is effective in mitigating the massive risks that sophisticated cybercrime and data theft present today. It is also an essential strategy to make sure your SME complies with POPI and GDPR!
This approach includes the following elements:
- Endpoint Security
- Education & User Guidance
- Network Security
- Contract Support
- Server and/or Hosted Security
- Monthly Reporting
While your business rivals may be shuffling papers and making calls to understand POPI and GDPR, your SME will undoubtedly gain many critical competitive advantages by turning its focus to the more important question of data security and robust data management. By focusing on strategies such as layered IT security, savvy business owners can ensure that their employees and stakeholders will be left in peace to achieve growth and sustainability – while others get caught in the crosshairs of POPI and cybercriminals!