South Africa’s data privacy law, the Protection of Personal Information Act, 2013 (POPIA) has come into effect and with 12 months to become compliant. Companies that are not acquiescent yet will definitely start feeling the pressure.
PoPI Act is an important step in protecting data privacy as it stipulates that personal information must be protected and can only be collected or handled where there’s lawful justification (for doing so). Put in layman’s terms, PoPI Act governs when and how organisations collect, use, store, delete and otherwise handle personal information.
For organisations, it poses quite a daunting task – and whilst there is still almost a year to become compliant which will be no easy feat. The major challenge is that PoPI Act requires the analysis of all personal information, therefore, where it came from and what organisations intend to do with it. It is a massive of amount of data that needs to be secured and analysed.
The good news is there is already a very mature standard in place that will provide organisations with tried and tested guidance on achieving PoPI Act compliance and securing data. The Payment Card Industry Data Security Standard (PCI DSS), consists of 12 high-level requirements across six goals.
PCI DSS applies to all businesses that accept credit and debit cards and provides a myriad of standards and supporting materials such as specification frameworks, tools, measurements, and other resources. Ultimately, it presents the necessary framework for developing a complete sensitive data security process that encompasses prevention, detection, and appropriate reaction to security incidents.
Some of the requirement PCI DSS can also be used to meet PoPI Act compliance such as goal number three: Maintain a Vulnerability Management Program.Vulnerabilitymanagement is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy.
PCI DSS offers extremely specific parameters and controls; in the case of PoPI Act the definition cardholder data will fall under personal information and security will be extended to include all this sensitive information.
The PCI DSS Self-Assessment Questionnaires (SAQs) also offer important guidance as it provides organisations with relevant self-assessment on whether their customers data is safe and secure. The relevant SAQ can take you one step closer towards preventing data breaches and minimising liability.
The reality is a lot of the measures of PCI DSS pertains to protecting IT networks and systems such as firewalls, anti-virus, security testing of system and security policies – these disciplines can be leveraged to move all personal information into a secure environment.
Lastly, the local industry already has a number of PCI DSS experts that have assisted South African companies to meet the requirements set by the standard. These organisations are proficient and will become invaluable partners in helping organisations navigate the move towards PoPI Act compliance.
By Simeon Tassev, Managing Director and Qualified Security Assessor at Galix