Sean Nourse
Sean Nourse Chief Solutions Officer

By now, you’ve probably heard about the Protection of Personal Information Act, more commonly known as PoPI. And presumably, you understand a little something about how this new piece of legislation is set to change what businesses can do with customer and corporate data.

hands working on a laptop with code

But what does PoPI mean for cybersecurity?

Basically, under PoPI, any business that holds customer or client data is responsible for securing that information. And must legally put the necessary organisational and technical measures in place to prevent this confidential personal information from being stolen or compromised. Here, it’s important to point out that "personal information", is not just information pertaining to regular people, but also legal entities. These include companies, communities and any other legally recognised entity.

To understand what PoPI actually requires you to do, it’s important to consider these “technical” and “organisational” measures for a moment.

Many companies are intimidated by PoPI because of the potential costs of meeting the requirements of the Act. But when it comes to the technical measures businesses are required to put in place, these are some of the easier elements of achieving compliance. Basically, businesses must use technical means to protect the information that exists within the organisation. Most already have these “technical” safeguards in place. Some of which include:

  • Network firewalls
  • Disk encryption for all hard drives
  • Antivirus and anti-phishing software
  • Strong password protection

When looking at the organisational implications of PoPI, the scenario gets a little more complicated. Let’s imagine that you outsource your IT. Many businesses opt to do so because outsourcing allows them to access expensive skills and the most advanced solutions, without the burden of hiring costly IT professionals or having to make sizable investments in infrastructure. But just because you’re passing on the responsibility of looking after your data to someone else, doesn’t mean that you’re no longer responsible for keeping it safe. All businesses need to implement the necessary security measures.

One simple example of these organisational measures is implementing proper access management policies and controls. With these safeguards in place, anyone who wants to access a specific network or piece of information will need to formally request access. Once the request is approved, this person needs to accept the responsibility that accompanies the access rights they’ve been granted. In doing so, they’re essentially acknowledging that they’ve been given access to sensitive information and are responsible for keeping that information safe.

Want to understand where your strengths and weaknesses lie? Download our Enterprise level security risk assessment.

New Call-to-action