Four common POPIA myths thoroughly debunked

It’s been years in the making, but South African organisations now have to ensure they are fully compliant to the provisions of the Protection of Personal Information Act (POPIA), as the grace period for putting appropriate measures in place comes to an end.

This leaves every organisation that collects, processes, shares, or stores the personal data of South African citizens, organisations or legal entities at risk of being in contravention of POPIA’s provisions, if they haven’t implemented reasonable organisational and technical measures to protect personal information.

POPIA establishes eight minimum requirements for the lawful processing of personal data, but the provision most fraught with risk is arguably security safeguarding. Here, cybersecurity teams and their technology partners play a vital role in protecting the organisation not only from cyberattacks, but also the subsequent regulatory risks associated with successful data breaches.

Cybersecurity professionals are in the spotlight as organisations are besieged by a rising tide of cyberattacks designed to access sensitive data. The latest Mimecast State of Email Security Report 2021, found that phishing attacks had surged by 57% since the start of the pandemic, and 76% of South African organisations stated concerns over employees making a serious security mistake while either using their personal email, oversharing company information on social media, browsing the web or shopping online.

As organisations rush to become POPIA compliant, it is worth taking pause to ensure they are not caught out by these four common POPIA-related myths:

Myth #1: “It’s only a data breach when the data leaves my organisation”

The traditional view of a data breach is one of data exfiltration, where data is ‘stolen’ from an organisation’s systems. However, data does not need to leave the organisation for it to be considered a data breach. POPIA applies to any unauthorised access to personal information.

The global rise in ransomware attacks – such as the recent headline-grabbing ransomware attack on a US oil pipeline – adds more risk for organisations. Data that is encrypted in an attack constitutes a data breach.

Mimecast’s State of Email Security Report 2021 found that half (47%) of all South African organisations suffered a ransomware attack in the past year. This trend is likely to continue when one considers the significant financial rewards for cybercriminals who demand sizeable ransoms from the organisations whose defences they breach.

Myth #2: “I can outsource my compliance to an external provider”

This is perhaps the most dangerous myth of all. Many organisations believe they can simply outsource their responsibility of compliance to an external service provider, but this could put themselves – and their data – at immense risk.

Firstly, no one vendor or solution can ensure full POPIA compliance. A vendor – for example Mimecast – can certainly help organisations become compliant to some provisions. There are multiple other moving parts that organisations need to attend to if they are to be fully compliant.

It’s also not enough to simply take out cyber insurance as a mitigating force, since it provides little to no security against intentional negligence or illegal activities. If the right measures are not in place, it’s unlikely the insurer will pay out in the event you fall victim to a cyberattack.

Myth #3: “Unlike GDPR, it’s easier to just pay my POPIA fine than become compliant”

It’s true that GDPR’s penalties are more severe: the biggest GDPR-related fine to date was issued against Google and amounted to more than R850-million compared to POPIA’s maximum fine of R10-million. However, organisations that fail to protect the personal data in their systems can suffer immense damage to their reputations, which can be exponentially more damaging to the organisation in the long term.

Myth #4: “Any data breach puts me at risk of non-compliance and penalties”

Under Chapter 3, Section 19 of POPIA, organisations must take appropriate measures to prevent “(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.”

The key here is to take ‘all reasonable steps’ to protect personal data. Organisations can still be considered compliant even if they fall victim to a data breach, provided they can prove that they took every reasonable step to prevent such a breach.

The alternative – suffering legal, financial and reputation damage – is simply too damaging to the organisation to even consider.