The final sections of the South African Protection of Personal Information Act (POPIA) came into effect on 30 June 2020, informing companies about how they process information within their businesses. There are eight minimum requirements, with perhaps the most important being that businesses and other operators must implement appropriate security safeguards to ensure the integrity and confidentiality of personal information in their possession.
Cloud services are considered ‘operators’, and are therefore subject to the requirements outlined in the POPIA. One needs to bear in mind that data needs to be considered when data is sent to cloud services, from cloud services, between cloud services, and in cloud services. Simply put, all data flows are subject to the law and need to be monitored and controlled accordingly.
Businesses and operators need to ensure that their data lost prevention (DLP) protocols in a time where 95% of companies have adopted cloud services, and 79% admit to storing sensitive data there. Endpoint DLP – implemented on a business’s network – is simply no longer sufficient.
This is even more relevant in an increasingly work from home (WF) and bring your own device (BYOD) environment, with these trends expanding the traditional network parameter to the point that business-critical information often lies outside of corporate-managed domains and devices.
As more and more enterprises adopt Software as a Service (SaaS) and Infrastructure as a Service (IaaS) solutions, it’s even more important – with POPIA in mind – for any activity around personal data to be detected, managed, and controlled.
However, there are few security products that cover all bases when it comes to DLP across endpoint and cloud, and many deploy multiple products. Doing so closes all the gaps – but it leads to pitfalls, such as differences in DLP policies, data classifications, and content extraction engines.
This makes it difficult to ensure consistent DLP detection across products, and, in turn, makes businesses vulnerable to data loss and data theft, which leads to violating the conditions described in the POPIA.
A unified data and threat protection solution can cover all potential data leak vectors, including endpoint, unsanctioned shadow IT apps, sanctioned apps (including email) and cloud to cloud transfers. It’s managed via a single console, and uses the same DLP technology everywhere.
With the POPIA compliance grace window period nearly closed, businesses that have not yet pivoted to comply with all its requirement – particularly from a security point of view – are likely to attract fines of up to R10 million per breach from the regulator, or a prison fine of up to ten years. Faced with consequences like that, it surely seems foolhardy for businesses to not consult with experts in protecting businesses from cyberattacks