Information security laws (many of which are also privacy laws) across the globe require you to secure the personal data that you process. The General Data Protection Regulation (GDPR) in Europe, the Data Protection Act in the United Kingdom, and the Protection of Personal Information Act (POPIA) in South Africa are three examples of global information security laws that require you to apply a certain standard of security to the personal data you process. These requirements affect your organisation at different levels. It has an impact on your employees, the policies you have in place, and even the software you use. Generally, the security you should use to comply falls into four categories, namely:
- physical security (e.g. alarm systems, security personnel at entrances, cameras, etc.);
- digital security (e.g. internet firewalls, up-to-date software, encryption, etc.);
- operational security (e.g. employee training, monitoring, fostering a culture of security, etc.); and
- administrative security (e.g. planning, policies, insurance, etc.).
How do you comply with Information Security Laws or Privacy Laws?
What if a bank employee accidentally sends bank account information to a person completely unrelated to the account holder? Would the account holder seek to hold the bank liable for not providing sufficient training or would they try and hold employee themselves liable?
Organisations face these kinds of situations more often than we realise, and the consequences can be dire. Information security laws aim to prevent these situations or drastically reduce the chances of them even occurring. The Minimum Information Security Standards (MISS) is one such law, especially where nationally-important institutions such as banks are concerned.
The legal requirement that you must have security measures that are appropriate and reasonable for the kind of personal data you process, has significant implications for your organisation. It means that in order to comply, one of your responsibilities is to avoid the bank employee situation by providing your employees with adequate training, having adequate policies in place, and raising awareness in your organisation about data protection. Complying with the security requirement also entails considering robust measures such as internet firewalls and high-level encryption for your online operations.
Actions you can take
- Empower yourself with knowledge of how information security requirements apply to you, by reading our comprehensive information security guide.
- Raise awareness in your organisation by attending a public or private Information Security Workshop.