Data security is at the heart of PoPI

July 2016 Editor's Choice, Security Services & Risk Management

As the implementation of the Protection of Personal Information Act (PoPI) gradually comes closer, South African organisations are wondering how best to prepare for it. The key is to understand that data security lies at the heart of PoPI compliance, argues Godfrey Kutumela, head of Security & Cyber Crimes Prevention Unit at IndigoCube.

Godfrey Kutumela.
Godfrey Kutumela.

“Personal information is part of the organisation’s total data set, so any strategy to become PoPI-compliant has to begin and end with how you manage and use data as part of your business operations. And because virtually every organisation is moving to digitise all its data assets, data confidentiality and integrity are at the heart of any data privacy and protection management process,” he says. “Once you understand this, it becomes much easier to scope, design and execute a data protection strategy that the regulator will deem reasonable.”

By way of background, Kutumela explains that while PoPI has been signed into law, full implementation has been delayed pending the approval of a regulator. Candidates for the post were shortlisted in April 2016, a major milestone on the road towards full implementation. PoPI does not stipulate how organisations should protect and manage the personal data in their possession; rather, it requires that “appropriate, reasonable, technical and organisational measures” are taken.

“We are breaking new ground here, and it will take some time before there is a body of administrative decisions by the regulator that will give greater certainty,” he says. “In the meanwhile, there are three logical steps that organisations can take to demonstrate they have sought to apply the law.”

Kutumela’s three steps to PoPI compliance are:

• Identify personal data that is collected, stored or processed in your organisation. To accomplish this, it will be necessary to conduct an enterprise-wide exercise to determine the privacy risk the organisation faces. There is simply too much data to protect it all, so it’s vital to know where the personal data covered by PoPI is, with the guiding principle being the business strategy. Those applications and data stores that directly enable strategic goals should receive the highest priority.

• Control access to personal data using a risk-based identity model. Kutumela strongly argues that identity management and access control are the cornerstones of any security system. When it comes to protecting personal data within the spirit of the Act, they are vital. “Not only must personal information be protected from cyber-criminals, it must also be used appropriately, in line with the purpose for which it was collected. That means it should only be accessed by employees or apps for the purpose for which it was collected.”

The challenge here is that digital business models depend on data sharing, so access decisions need to be dynamic, and based on a clearly defined set of risk factors.

• Protect personal data, whether structured or unstructured, adequately while it is at rest. The most effective way to protect personal data – or any data – is where it is stored, in the database. When it is being used, it is dispersed and does not present a target; as a result, attempts to hack data target data repositories. “Data repositories are where the crown jewels are kept, and they should be the focus of security efforts,” Kutumela says.

For more information contact Godfrey Kutumela, IndigoCube, +27 (0)11 759 5950,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

24-hour emergency response for staff
August 2019 , News, Security Services & Risk Management
The FirstRand Group has partnered with PanicGuard to create a 24-hour emergency response programme for staff.

Keeping our changing environment secure
August 2019 , Editor's Choice, Security Services & Risk Management
For a crime to take place there needs to be a victim and a criminal who sees an opportunity. For a cybercrime to take place we need the same set of circumstances.

Augmented security with drones
August 2019, Drone Guards , Editor's Choice, Integrated Solutions
Drone Guards is moving into an untapped market of using drones to secure residential estates and other high-value assets such as mines, farms and commercial properties.

The importance of real security risk assessments
August 2019, Sentinel Risk Management , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Andy Lawler, MD, Sentinel Risk Management, says a security risk assessment is an onerous task, but is not something estates can consider optional or a luxury item anymore.

Risk assessment or product placement?
August 2019, Technews Publishing, Alwinco, SMC - Security Management Consultants , Editor's Choice, Security Services & Risk Management, Residential Estate (Industry)
Hi-tech security solutions asked a couple of experts to provide estate managers and security managers with some insights into what a ‘real’ risk assessment includes.

How far are we really at with artificial intelligence?
August 2019, Axis Communications SA , Editor's Choice, CCTV, Surveillance & Remote Monitoring, IT infrastructure, Residential Estate (Industry)
Justin Ludik unpacks exactly how far AI has come and what it potentially can do for society and more importantly, surveillance.

Residential security – caveat emptor
August 2019, Stafix , Integrated Solutions, Security Services & Risk Management
When it comes to improving your property’s security, make sure you take all the options into account as you build a layered approach to keeping people safe and assets secured.

The importance of effective perimeter security
August 2019, Elf Rentals - Electronic Security Solutions, Stafix , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Residential Estate (Industry)
Protecting the perimeter is critical for any residential estate; how does one go about making sure your perimeter is as secure as possible?

Ensuring your electric fence is compliant
August 2019, Stafix , Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
A challenge facing both existing and potentially new perimeter electric fence installations is how to economically meet the legal requirements required in the SANS 10222-3:2016 standards document.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.