Protecting customers’ personal information against loss or damage is just as important for companies considering the Protection of Personal Information (POPI) Act as protecting it against theft and unauthorised access.
Section 19 of the Act says companies must take appropriate and reasonable measures to protect personal information. That means keeping your own security and data protection up to date, and making sure anybody who handles data on your behalf does the same. As the responsible party, it’s your job to ensure your suppliers comply with the requirements of the Act.
While most companies easily grasp the importance of making sure personal data doesn’t fall into the wrong hands, fewer understand the importance of protecting it against loss or corruption.
Losing personal data can cause serious problems for your customers. Imagine what would happen if you lost the records of their account payments, for example, or medical history files got corrupted. Knowing that data will always be available is critical.
Maintaining data availability goes beyond simply keeping backups as Warren Olivier Veeam Software’s Regional Manager for Southern Africa has pointed out. Having a backup is worth nothing unless you can actually restore from it. So every backup needs to be tested, as well as being securely stored and encrypted to protect it against unauthorised access — and that encryption keys should be set per server or per backup job, ensuring that different departments are able to keep their data segregated from each other if necessary.
In addition, Olivier believes companies need to ensure that data is protected appropriately during the recovery process. Asking a low-level help desk employee to restore a database of customer details, for example, is not on. Good solutions for data availability should include easy item-level recovery, so only authorised people can access only the information they need.
A lot of this is just good IT practice anyway. A company that’s already ISO or COBIT compliant probably won’t need to do much extra work to ensure their processes and operations are in line with the security requirements of POPI.
On the other hand, the Act says that as the holder of personal data you must inform both the Regulator and the data subject if that information has been accessed or acquired by an unauthorised person. It’s far cheaper to protect yourself, and your data, to make sure that problem never occurs in the first place.
Jos Floor, Director of Corporate and IP Law for Floor Swart Incorporated