LIZAAN LEWIS | Information regulator sends data firm stern warning

After many years of hearing about the protection of personal information (POPI) Act and the effect it would have on businesses in terms of their responsibility to protect personal data, businesses have finally seen the warning shot fired by the information regulator.

“Get your house in order,” the regulator has warned. The Information Regulator dishing out a R5m fine to the department of justice and constitutional development should cause pause for thought for all businesses that process personal information.

Fines can go up to R10m and even jail time if it is found there was malicious intent leading to a data breach. The department was fined over a data breach that occurred about two years ago.

Despite receiving an enforcement order, the department did not comply. The lesson in this is how easily this could have been averted as it was found that the department had not renewed licences for cyber security software - something seemingly so simple but which opened the door to the hackers.

The obligation in the event of a data breach is to prove that you did everything in your power to prevent the data breach. The department was required to demonstrate the steps it took to rectify the problems.

Not renewing licences for cyber security software may seem small but the consequences were huge. There absolutely have to be contingencies in place for businesses of all sizes. For example, a monitoring tool may not give you protection but it will point you to where there is unusual activity, which could be the site of a data breach.

In the modern digital world, cross-border movement of data is not unusual, and the European Regulator has issued very big fines to household names for flouting obligations related to the general data protection regulation.

As an absolute starting point businesses should ensure all their software licences are up to date. Just because they don’t see it affecting their business does not mean it shouldn’t be a priority.

It’s important to understand that you need the correct software for your type of business because not all firewalls or virus protection software are identical, and some are not suitable for certain types of organisations.

This means there must be a proper assessment of a business’s environment so that it can know exactly what protection is needed. It may be easy to use Google to find tools but these may not be right for certain environments and may require specialised skills to use.

The prudent thing to do would be to engage with industry experts who can immerse themselves into an environment and advise on exactly what the business needs, from systems to processes and tools.

In the event of a data breach, a business needs to have peace of mind that not only can it recover important data and continue its operations but it must also be confident that it can prove to the information regulator that it did everything reasonably possible to prevent a data breach while also having the capability to mitigate against future attacks.

Failing to do this turns a business into a sitting duck just when the information regulator has shown its teeth.

■ Lewis is head of legal at Altron Systems Integration