PoPI Cybersecurity Compliance
The purpose of the PoPI Act, or the Protection of Personal Information Act in South Africa, is to ensure all institutions responsibly collect, process, store, share and otherwise handle personal information by holding them to account for any abuses. It is important that any organization in South Africa handling this information practices PoPI cybersecurity compliance.
Organizations use Threatcare’s Violet platform to verify security through breach and attack simulations. Threatcare, the leader in proactive cyber defense, believes that companies have a “right to know” if their cybersecurity is properly in place.
The legislation states that personal information is consider a “precious good” and as such bestows upon the individual, who is owner of said personal information, key rights and protections in which the individual can control. They include:
- When and how personal information is shared, via consent of the individual;
- What type of information is shared and to what extent, which must be for valid reasons;
- Notification that personal information is compromised;
- Transparency and accountability regarding how data will be used;
- Who is being given access to personal information, coupled with adequate controls in place to track such access, while preventing unauthorized persons from accessing it;
- Providing persons access to their own information and guaranteeing them the right to have date removed and/or destroyed on demand;
- How and where personal information is being stored, while ensuring adequate security and protections are in place to keep it secure from theft or compromise;
- Integrity and continued accuracy of personal information, meaning information must initially be captured correctly and then maintained.
Firms that are PoPI compliant, then, must adhere to all of these provisions.
Some examples of “personal information” include passports, birth dates and age, phone numbers, online identifiers, physical address, gender, race, ethnicity, photos and voice recordings, video footage (including CCTV), criminal records, private correspondence, employment history, marital relationship, education, financial information, health data and more.
Since we now live in an age when it is popular, even fashionable, to divulge personal information — largely online, on social media platforms — often we do not think twice about it. That’s why it was important for the South African government to pass this legislation.
The law also notes that some personal information, by itself, doesn’t necessarily permit a third part to confirm or infer a person’s identity to the point where it can be abused and missed for other purposes. For instance, the combo of someone’s name and phone number and/ore email address is much more significant than just a name or a phone number by themselves.
As such, the law specifies that a “unique identifier” must be data that directly correlates “that data subject in relation to that responsible party.”
Use Threatcare to verify PoPI cybersecurity compliance.