Earlier this year, June to be more precise, significant elements within the Protection of Personal Information Act (PoPIA) came into effect, but local companies and organisations still have until the middle of next year to ensure they are compliant.
While some may be prioritising the need to be compliant above all else, AVeS Cyber Security is of the opinion that having the right data protection policies in place first, will make compliance far easier to accomplish.
This according to CEO, Charl Ueckermann, who notes that the rush for PoPI compliance presents a great opportunity for savvy businesses.
“A robust and resilient business should be your primary goal. Rather than focusing only on compliance, use this as an opportunity to sharpen your organisation’s data protection capabilities,” he says.
“Once you understand how POPIA and other information security standards, such as ISO27001, can benefit your business, it’s like hitting two birds with one stone: you take appropriate and reasonable steps to fine-tune how your business works with confidential information, and compliance follows naturally,” explains Ueckermann.
This process makes sense in his view as the elements contained within PoPI are quite similar to that of data protection.
To that end, he believes that CIOs and IT managers should address the confidentiality, integrity and availability of data, and cover both the cyber and physical security aspects of information protection.
The start of such an undertaking is to identify what information within your organisation needs to be protected.
“Any information that you deem as critical to your business or mentioned in POPIA should be protected. This can include information about employees and customers, product information, research data, financial information and other intellectual property,” he says.
Here, Ueckermann says starting with a facilitated PoPIA assessment is a productive and cost-effective way to help a businesses determine how compliant they are, as well as which sections of the Act are applicable based on the nature of their operations, and which information should be protected.
To that end, different companies in varying industries will need to take their own unique steps. Additionally, what applies to a big corporate may not apply to a small or medium-sized business, stresses Ueckermann.
“A guided assessment further provides valuable insights into where there are gaps and how to prioritise addressing them. An implementation roadmap often follows a good POPIA assessment to show where to focus information protection efforts to meet POPIA’s requirements timeously,” the CEO points out.
As such, he adds that a proactive approach will be required should businesses wish to be ready before the June 2021 grace period lapses.
“If you are not already thinking about information security, there is no better time than now. Look beyond compliance and focus on protecting your business, your intellectual property and the stakeholders that are linked to it,” he concudes.