The final sections of the South African Protection of Personal Information Act (POPIA) came into effect on 30 June 2021, informing companies about how they process information their businesses, notes Carlo Bolzonello, South Africa country manager for McAfee.
There are eight minimum requirements, with perhaps the most important being that businesses and other operators must implement appropriate security safeguards to insure the integrity and confidentiality of personal information their possession.
Cloud services are considered ‘operators’, and are therefore subject to the requirements outlined in the POPIA, bearing in mind that data needs to be considered when data is sent to cloud services, from cloud services, between cloud services, and in cloud services. Simply put, all data flows are subject to the law and need to be monitored and controlled accordingly.
Businesses and operators need to ensure that their data lost prevention (DLP) protocols in a time where 95% of companies have adopted cloud services, and 79% admit to storing sensitive data there. Endpoint DLP – implemented on a business’s network – is simply no longer sufficient.
This is even more relevant in an increasingly work from home (WFH) and bring your own device (BYOD) environment, with these trends expanding the traditional network parameter to the point that business-critical information often lies outside of corporate-managed domains and devices.
Managing personal data
Furthermore, as more and more enterprises adopt SaaS and Iaas solutions, it’s even more important – with POPIA in mind – for any activity around personal data to be detected, managed, and controlled, particularly given that companies actively assessing their data exfiltration attempts in IaaS saw an average of 5,314 events each month in 2020.
However, there are few security products that cover all bases when it comes to DLP across endpoint and cloud, and many deploy multiple products. Doing so does close all the gaps – but it does lead to pitfalls, such as differences in DLP policies, data classifications, and content extraction engines.
This makes it difficult to ensure consistent DLP detection across products, and in turn, makes businesses vulnerable to data loss, data theft, and in turn, violating the conditions described in the POPIA.
A unified data and threat protection solution will cover all potential data leak vectors, including endpoint, unsanctioned shadow IT apps, sanctioned apps (including email) and cloud to cloud transfers. It’s managed via a single console, and uses the same DLP technology everywhere.
With the POPIA compliance grace window period nearly closed, businesses that have not yet pivoted to comply with all its requirement – particularly from a security point of view – are likely to attract fines of up to R10-million per breach from the regulator, or a prison fine of up to ten years. Faced with consequences like that, it surely seems foolhardy for businesses to not consult with experts in protecting businesses from cyberattacks