Page 28 - Q&A 2019/2020
P. 28

Data security under POPIA is important even for
            small businesses

            Juanita van Zyl
            January 2019

            “I’m the owner of a small advisory firm. A few days ago, one of my employees
            left his laptop in the car during the weekend and it was stolen out of his car.
            I now hear that the IT guys forgot to have encryption activated on his laptop.
            With client information on the laptop I’m worried about whether I could be in
            breach of POPIA. Am I?”                                             Commercial

            Data security has become  an essential consideration for just about every
            business, small or large. With a constantly increasing amount of personal and
            sensitive client data being captured and maintained by businesses, it has
            become an imperative for all businesses to have the necessary data security
            frameworks in place.
            To help regulate such frameworks, the Protection of Personal Information Act 4
            of 2013 (“POPIA”) has been promulgated. Although not fully in operation yet, it
            already plays a vital guiding role for businesses should they collect, store, use
            and/or destroy personal information of clients.

            POPIA also provides for the rights and remedies of persons whose rights have
            been  infringed  in  terms  of  POPIA  and  therefore  obliges  parties  dealing  with
            personal information to take care in handling such information and protect
            the public against the incorrect and unauthorised access and use of their
            personal information. This means that any personal information your business
            processes or stores must be adequately protected, irrespective of whether such
            storage is in digital or in hardcopy format. This is to prevent that data is misused
            by third parties for fraud, identity theft, abusive marketing practices or other
            unauthorised purposes.
            Accordingly, the obligation on businesses to ensure the security and integrity
            of personal information is one of the most important principles for the lawful
            processing of data in terms of POPI, since security failures and breaches have
            the  potential  for data  subjects  to suffer  significant  harm.  POPIA requires that
            for data security businesses must implement appropriate and reasonable
            technical and organisational measures to prevent the loss of, damage to,
            unauthorised destruction of, unlawful access to or the unlawful processing of
            personal information.
            This is quite a mouthful. What it boils down to is, a business must take into account
            generally accepted data security practices and procedures that can be put in
            place including such practices as may be required by or be standard for the
            industry in which it operates. This means that there is not a standard set of data
            security rules that can be selected, but rather that the appropriate data security




                                                                        22
   23   24   25   26   27   28   29   30   31   32   33