Need to protect information grows

2018-06-20 06:01
Damian Viviers

Damian Viviers

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

Q uestion:

I have an advisory business serving private and corporate clients.

Our client information is stored on a central server in our offices.

I have been advised to review our data security due to the growing risk of being hacked and the requirements of Popi to protect the personal information of my clients.

What does Popi require of me in this regard?


The Protection of Personal Information Act 4 of 2013 (“Popi”) aligns South Africa with the international position in respect of information and data protection.

Although Popi has not yet fully come into operation, it is only a matter of time before it does.

An important aim of Popi is to protect persons from suffering damage and harm by requiring entities and persons who receive personal information to protect such information.

Popi therefore places an important responsibility on parties who collect, store, use and destroy personal information (“responsible parties”) and provides rights and remedies to persons whose rights have been infringed (“data subjects”).

Popi obliges responsible parties to ensure the integrity and confidentiality of personal information in their possession.

Data security is promoted by appropriate and reasonable technical (electronic) and organisational (physical) measures to prevent the loss of, damage to, unauthorised destruction of, unlawful access to and the unlawful processing of personal information.

It is important to understand that data security is not restricted to personal information that is processed electronically (technical).

Even physical records containing personal information of data subjects (organisational) may need to be secured.

Information security breaches in the modern business environment may occur through various means, including theft, deliberate attacks on electronic systems, unauthorised use of personal information of data subjects by an employee, accidental loss or even equipment failure.

Although Popi does not specify the technical requirements that must be met, it will be the responsibility of each responsible party to ensure that they have the necessary and appropriate technical and organisational measures in place to protect data.

In the event that a responsible party’s data security safeguards are compromised and unauthorised access to personal information ensues, responsible parties will be required to notify the Information Regulator, as well as the affected data subjects, as soon as is reasonably possible after the discovery of the compromise.

The notice will also have to contain sufficient information for data subjects to adequately protect themselves against any potential consequences of the compromise in data security.

A responsible party will also have to contain the breach, aim to recover any compromised data (if possible), assess the risks associated with the breach – including the potential harm for data subjects – and conduct an investigation into the cause of the breach and the effectiveness of the response thereto.

Responsible parties will therefore carry an extensive burden in terms of Popi in respect of their network and data security and it would be advisable to enlist the help of a technical expert or Popi specialist to review your current data security systems and develop the necessary security plans and procedures for your business.

– Damian Viviers, associate, Phatshoane Henney Attorneys


Join the conversation! encourages commentary submitted via MyNews24. Contributions of 200 words or more will be considered for publication.

We reserve editorial discretion to decide what will be published.
Read our comments policy for guidelines on contributions.

Inside News24

Traffic Alerts
There are new stories on the homepage. Click here to see them.


Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.

Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire network.


Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.

Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.