"Section 19 of the Act says companies must take appropriate and reasonable measures to protect personal information against loss and destruction," says Floor. "That means keeping your own security and data protection up to date, and making sure anybody who handles data on your behalf does the same. As the responsible party, it's your job to ensure your suppliers comply with the requirements of the Act."
"While most companies easily grasp the importance of making sure personal data doesn't fall into the wrong hands," says Warren Olivier of Veeam, "fewer understand the importance of protecting it against loss or corruption."
"Losing personal data can cause serious problems for your customers," says Olivier, who is Veeam's Regional Manager for Southern Africa. "Imagine what would happen if you lost the records of their account payments, for example, or medical history files got corrupted. Knowing that data will always be available is critical."
Maintaining data availability goes beyond simply keeping backups, adds Olivier. "Having a backup is worth nothing unless you can actually restore from it -- so every backup needs to be tested, as well as being securely stored and encrypted."
He says Veeam Availability Suite includes 256-bit end-to-end encryption so that every backup is protected against unauthorised access -- and that encryption keys can be set per server or per backup job, ensuring that different departments are able to keep their data segregated from each other if necessary.
In addition, notes Olivier: "Companies need to ensure that data is protected appropriately during the recovery process. Asking a low-level help desk employee to restore a database of customer details, for example, is not on. Good solutions for data availability should include easy item-level recovery, so only authorised people can access only the information they need."
"A lot of this is just good IT practice anyway", says Floor. "A company that's already ISO or COBIT compliant probably won't need to do much extra work to ensure their processes and operations are in line with the security requirements of POPI."
On the other hand, he warns, "the Act says that as the holder of personal data you must inform both the Regulator and the data subject if that information has been accessed or acquired by an unauthorised person. It's far cheaper to protect yourself, and your data, to make sure that problem never occurs in the first place."