On July 1, 2021, the Protection of Personal Information Act 2013 (POPIA) came into full effect.
The Act is a comprehensive data protection law that requires companies to use principles and circumstances to legitimately process the personal information of data subjects (both natural and legal people).
Marlouise Verster, a Legal Officer at Pay@, states that these firms now need to have substantial compliance programmes in place to ensure that they handle personal information on behalf of their clients such as bill issuers in the correct manner.
“In the eyes of the law, bill issuers are the entity principally liable for user data.
“If a breach occurs, the responsible party must notify the Information Regulator as well as the data subject whose personal information was disclosed or compromised. They’ll also need to take precautions to avoid reputational damage and business interruptions, as well as losing shareholder and customer trust,”
Verster added that the measures and level of security put in place by payment processors will frequently depend on the type of information being processed and its sensitivity, and that these will also need to be revisited on a regular basis to ensure that they remain appropriate.
Munsamy shared that there are gaps which led to breaches and incidents because information security was not review holistically.
“POPIA requires that best industry practises be used to govern the business space. Implementing all of the required controls for information security reduces the risk of incidents, which lowers the likelihood of breaches,” she concluded.
For more news on cybersecurity and privacy you can head onto our website www.espc2go.com