Page 48 - PHi_Q&A_Eng-Digital.indd
P. 48

POPI and your data security

            Damian Viviers
            April 2018

            “I have an advisory business serving private and corporate clients. Our client
            information is stored on a central server in our offices. I have been advised
            to review our data security due to the growing risk of being hacked and the
      Commercial  does POPI require of me in this regard?”
            requirements of POPI to protect the personal information of my clients. What

            The Protection of Personal Information Act 4 of 2013 (“POPI”) aligns South Africa
            with the international position in respect of information and data protection.
            Although POPI has not yet fully come into operation, it is only a matter of time
            before it does.
            An important aim of POPI is to protect persons from suffering damage and
            harm by requiring entities and persons who receive our personal information to
            protect such information. POPI therefore places an important responsibility on
            parties who collect, store, use and destroy personal information (“responsible
            parties”) and provides rights and remedies to persons whose rights have been
            infringed (“data subjects”).
            POPI obliges responsible parties to ensure the integrity and confidentiality of
            personal information in their possession. Data security is promoted by appropriate
            and reasonable technical (electronic) and organisational (physical) measures
            to prevent the loss of, damage to, unauthorised destruction of, unlawful access
            to and/or the unlawful processing of personal information. It is important to
            understand that data security is not restricted to personal information that is
            processed electronically (technical). Even physical records containing personal
            information of data subjects (organisational) may need to be secured.
            Information security breaches in the modern business environment may occur
            through various means, including theft, deliberate attacks on electronic systems,
            unauthorised use of personal information of data subjects by an employee,
            accidental loss or even equipment failure. Although POPI does not specify the
            technical requirements that must be met, it will be the responsibility of each
            responsible party to ensure that they have the necessary and appropriate
            technical and organisational measures in place to protect data.
            In the event that a responsible party’s data security safeguards are compromised
            and unauthorised access to personal information ensues, responsible parties
            will be required to notify the Information Regulator as well as the affected data
            subjects as soon as is reasonably possible after the discovery of the compromise.
            The notice will also have to contain sufficient information for data subjects to
            adequately protect  themselves  against  any  potential  consequences  of  the
            compromise in data security.




            42
   43   44   45   46   47   48   49   50   51   52   53