"POPI Compliance" - What does it mean?
Over recent months there is an increasing trend on the part of suppliers of POPI products and services to represent that the product or service is “POPI compliant”. These representations seem to promise that there are “silver bullets” that will magically render processors of personal information “POPI compliant”. Quite simply this is false marketing and any person or organisation that makes these representations simply does not understand the purpose of POPI and the nature of information security, without which the protection of personal information is impossible.
As the word “Protection” in the title of POPI suggests, appropriate safeguards necessary for the lawful processing of personal information need to be established and maintained by processors of personal information. This will differ depending on the information processed and the organisation processing the information. Personal information processed in a particular context may be highly sensitive, while the same information processed in a different context may be relatively harmless. In determining how we protect personal information a myriad of factors come into play. Among these will be the nature of the information and the risk of it being abused. As this may vary considerably in the processing of information in different contexts, so too will the necessary protections require differing consideration. There are no single products or services that will in themselves render the processing of personal information “POPI compliant”.
Information security disciplines recognise the vast differences that need to be taken into consideration in protecting information and the necessity for selecting appropriate technologies, developing documented processes governing the use of the technologies in the processing of the information and the training of people in those processes. This is central to achieving appropriate states of security of the information being processed. While it may be tempting to think that the creation of the competencies to achieve information security may be purchased or outsourced, save for in fairly limited circumstances, doing so will not achieve appropriate information security, the protection of personal information and therefore compliance with POPI. Processors of personal information must recognise that even in those circumstances that they might outsource elements of the protection of personal information, they remain directly responsible to clients. As responsible parties they must ensure that the lawful conditions governing the processing of personal information are complied with, and recognise that they are liable for the criminal sanctions that may be imposed or the civil claims that may arise from a compromise of personal information. Therefore, the importance of developing core competencies to deal with the protection of personal information by all processors of personal information cannot be underestimated. It is a non-negotiable fact of life in processing personal information in the 21st century.
The technologies that we apply in the processing of information and communications electronically are not static. Examples of the dynamic nature of the processing of information and how new vulnerabilities may arise are readily at hand. Many well-known technologies, designed and developed with the best intent and with security in mind, may, despite this, become vulnerable to attacks from hackers who are constantly searching for vulnerabilities in the software used in these technologies. Once a vulnerability is discovered this may be exploited. This is the primary reason for our employing anti-virus software that is constantly being developed in reaction to these potential attacks and that now forms a seamless and almost invisible part of information systems in our modern world. Core to the effectiveness of anti-virus software is the constant updating of the software to combat new vulnerabilities and attacks.
Against this background, while there are products and services which may in differing circumstances and to differing degrees prove to be helpful, important or even critical in the protection of personal information, in themselves they will not magically confer “POPI compliance” to an organisation. Achieving compliance is far more a “people” issue as opposed to a technology issue. Compliance with the different provisions of POPI will be far more dependent upon developing an understanding of law, security risks to the particular organisation and the development of a culture of vigilance, guarding against the potential abuses that may threaten an organisation’s processing of personal information.
Those that profess otherwise are simply selling snake oil.
©Mark Heyink 2015