Protect your data from unathorised access - on premise and in the cloud

Data security protects enterprise information from malicious insiders and hackers

We implement centrally defined access policies using dynamic masking and tokenisation.

Data activity monitoring and user behaviour analytics detect and prevent malicious activity, without compromising your data

THE 4 PILLARS OF DATA SECURITY FOR PRIVACY

Govern, Protect and Monitor your Personal Data

Policies and planning

Security and access are fit for purpose

Access Policies

Physical Security

Protect your data

Access Protection

Everywhere

On-premise and in the cloud

Data security

High Availability

Authorised users have easy access to information services

Availability

How does data security apply to PoPIA?

We often hear the terms data privacy and data security being used interchangeably. Yet, they are not the same thing.

South Africa's Protection of Personal Information Act (PoPIA) list eight conditions for the protection of personal information, of which only one (Condition 7) is focused on data security.

Similarly, data security is a substantial discipline that extends beyond ensuring data privacy.

Let's take a look at PoPIA Condition 7

PoPIA Condition 7 - Security safeguards

Section 19 Security measures on integrity and confidentiality of personal information

A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
1. loss of, damage to or unauthorised destruction of personal information; and
2. unlawful access to or processing of personal information.
In order to give effect to subsection (1), the responsible party must take reasonable measures to—
1. identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
2. establish and maintain appropriate safeguards against the risks identified;
3. regularly verify that the safeguards are effectively implemented; and
4. ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.

Section 20 Information processed by operator or person acting under authority

Section 21 Security measures regarding information processed by operator

Section 22 Notification of security compromises

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify—
1. the Regulator; and
2. subject to subsection (3), the data subject, unless the identity of such data subject cannot be established.
The notification referred to in subsection (1) must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.
The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
The notification to a data subject referred to in subsection (1) must be in writing and communicated to the data subject in at least one of the following ways:
1. Mailed to the data subject’s last known physical or postal address;
2. sent by e-mail to the data subject’s last known e-mail address;
3. placed in a prominent position on the website of the responsible party;
4. published in the news media; or
5. as may be directed by the Regulator.
The notification referred to in subsection (1) must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including—
1. a description of the possible consequences of the security compromise;
2. a description of the measures that the responsible party intends to take or has taken to address the security compromise;
3. a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
4. if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
The Regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

Read our blog

Data protection explained

Read now

Universal Data Authorization

Dynamically compliance with data security and privacy regulations

Explore

Analyst Report

Data privacy, security and data-related compliance

Register free

Webinar on-demand

Best Practices for Privacy and Governance

Register and watch