With the rise of computing power and other mobile devices, personal information is at greater risk than ever before and its protection is now imperative. Nominations have closed for the appointment of the Information Regulator for the Act, and while there is no need to panic, you need to act now to ensure that you are POPI compliant by the end of the grace period, which is twelve months from the appointment of the Regulator.
In terms of the Act, you must be able to prove to the Information Regulator that you did what was reasonably practicable to lawfully process personal information. Here are a few actions you should consider taking to comply by the end of the grace period:
- Update your information security policies to bring them in-line with the new law. This will reduce a possible fine.
- Consider what could happen if a third party accessed an employee’s laptop or phone. Draft a BYOD (Bring Your Own Device) policy for your employees.
- Review the access control to your information systems. People should only have access to the information they need.
- Encrypt all removable devices (USB’s), laptops, phones and other mobile devices. If you have encrypted devices that then get lost, you will not have to notify the Information Regulator.
- Take measures to protect account numbers in particular. There is a greater chance of being fined if you fail to protect them.
- Review physical security to business premises. It is just as important as electronic security.
- Ensure that you take reasonable and appropriate measures to secure and protect personal information.
- Have an incident response policy for data breaches.
- Ensure operators will notify you in the event of a data breach so you don’t get caught off guard.
If you need advice or assistance, please refer to our eBooks available here or contact us on 011 467 1475.