Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Dec 8, 2023   |   Fallon Steyn

Protecting PII in South Africa's stringent regulatory landscape

Go back

Protecting personal identifiable information (PII) cannot be overstated. Irrespective of their size, businesses in every sector face the risk of data loss, particularly those that handle vast amounts of confidential customer information. Cyber-attacks are also rising as adversaries grow more determined and their tools more sophisticated.

So says Fallon Steyn, MEA Regional Sales Manager at Next DLP, adding that the regulatory landscape is becoming increasingly stringent and complex alongside the evolving threat landscape, leading businesses to seek comprehensive solutions beyond addressing today’s challenges.

“Yet this expansion of data privacy regulations did not happen in a vacuum. As more businesses began to collect personal information, they became inevitable targets for threat actors looking to exploit that data for financial or other gains.”

The need to protect PII has seen lawmakers strive to keep up with the evolving ways established and emerging industries leverage technology to collect and monetise personal data and implement regulations designed to mitigate the risks of personal data exposure, she explains.

Protecting SA’s PII

In South Africa, the Protection of Personal Information Act (POPIA) outlines conditions for responsible parties to lawfully process the personal information of data subjects, including both natural and juristic persons.

“POPIA places the responsibility of compliance on whoever determines the purpose and manner of processing personal information; it does not mandate obtaining consent from data subjects for processing, nor does it prohibit processing altogether,” adds Steyn.

POPIA consists of eight general conditions and three additional conditions the responsible party must meet. Moreover, the responsible party is also accountable for ensuring their operators (those processing data on their behalf) adhere to these conditions.

According to her, this legislation is crucial as it safeguards data subjects from various harms, such as theft and discrimination. Importantly, non-compliance with POPIA poses significant risks, including reputational damage, financial penalties, imprisonment, and the possibility of compensating affected data subjects. The failure to protect account numbers carries particularly severe consequences among these risks.

“Moreover, regulations seek to uphold individuals’ right to privacy, and to ensure effective data protection, regulators have been given the authority to impose harsh penalties on those who fail to protect personal information adequately.”

The Department of Justice and Constitutional Development found this out the hard way in May of this year, Steyn says, as the Information Regulator issued an Infringement Notice, ordering the Department to pay a R5 million fine for its failure to provide evidence of security improvements following a ransomware attack in 2021.

Unfortunately, many organisations view traditional DLP solutions as a stumbling block to business operations and security for various reasons. For one, they had difficulty identifying and understanding how PII is used within the business. While they know they are capturing PII, they have little to no visibility of how that data is used daily.

Myriad risks from many sources

In today’s landscape, she adds that PII can be used (and put at risk) in many structured and unstructured formats and applications, including moving PII through web applications, messaging apps, screenshots, email attachments, and cloud storage services. Additionally, most DLP solutions require organisations to build a classification schema for all sensitive data and then search the enterprise – sometimes for months, maybe even years – to identify all instances of the data before it can begin protecting that data.

“Also, many DLP solutions were designed for business environments that we saw 20 years ago, with applications running locally and all workers operating within the corporate network. They had granular rules dictating what each group of users could do with each class of data, leading to inevitable false alerts, frustrating users, and security. In short, they were inadequate tools in today’s fight against cybercrime.”

Maintaining compliance with any regulatory mandate requires continuous, thorough diligence, as new sources of data are constantly emerging due to the needs of the business and shifting regulatory environment, Steyn comments.

Robust DLP solutions

Unlike legacy DLP, there are modern DLP solutions that help to address today’s risks effectively; having a next-gen DLP solution that incorporates AI and ML capabilities, DLP can now be seen as an enabler to help organisations successfully implement a DLP strategy and be seen as an integral part of any robust data loss prevention strategy. Such a strategy safeguards critical data, protects intellectual property, and ensures compliance with relevant regulations.

DLP systems play a crucial role in achieving these objectives by preventing the loss, mishandling, or unauthorised access of confidential and classified company data, helping entities to fortify their data security and establish a safer digital environment, she says.

For modern business practices, implementing advanced DLP technologies has become crucial. These tools continually monitor, detect, and block the transmission of confidential information beyond the company’s network. By employing sophisticated algorithms, next-gen DLP technology can intelligently identify any unauthorised data transfer requiring intervention.

Addressing a critical challenge

DLP can help South African organisations address the critical challenge of adhering to the principles of POPIA and ensuring the protection of personal information. By implementing a robust DLP strategy, they can effectively enforce POPIA and strengthen data protection efforts.

“Next-gen DLP technology can provide the necessary capabilities to identify sensitive data, and monitor usage, before having to build and enforce policies, thereby already reducing the risk of data breaches and fostering trust with stakeholders,” she says.

For example, Next DLP’s data protection solution, Reveal, uncovers risk, educates workforces, and helps companies meet security, compliance, and regulatory requirements. Unlike legacy DLP, Reveal is a flexible, cloud-native, ML-powered solution built with today’s advanced threat landscape in mind.

“By embracing DLP as an essential component of their data protection arsenal, South African entities can not only meet legal obligations, but also cultivate a culture of privacy, accountability, and transparency in today’s digital landscape,” Steyn ends.

This article is republished from the Mybroadband Press Office.


See how Next protects your employees and prevents data loss