This is the risk that is inherent to a specific function and sub process and is measured before taking control measures into account.

If Personal Identifiable Information (PII) were to be lost in that specific sub process it might have a Critical, High, Medium or Low impact.

Where the volume of PII is low and the type of personal information is not sensitive or special personal information is not processed the Inherent risk might be low.

Where the volumes of the PII is high in a sub process and there is sensitive and special personal information are processed in that sub process the Inherent Risk might be Critical.

The residual risk is the risk that remains after the control measures have been taking into account.

If there are no control measures in place the Residual Risk will be the same as the Inherent Risk.

The more control measures that are in place the higher the impact on the residual risk that remains. There might be a High Inherent Risk but because of the control measures the Residual risk is Medium.

The Residual risk is the one that an organisation can control by adding control measures. The Residual Risk should always be at an acceptable level for an organisation. If it is to high more control measures should be added. 

Access management is the umbrella term for tools and technologies controlling user access to critical information that include personal identifiable information (PII) within an organisation.  Access Management aims to grant authorised users the right to use a service, while preventing access to non-authorised users.

This can be using usernames and passwords, multi-factor authentication, tokens, biometrics and other means of providing access.

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).

POPIA designates the head of the business as the Information Officer. Depending on the type of business, the Information Officer will be the sole trader, a partner in a partnership or CEO (or equivalent) in a company or CC. The head of the business can delegate their responsibilities as Information Officer to any other duly authorised person. It is important to note that whoever “determines the purpose of and means for processing personal information” remains ultimately responsible for ensuring that the processing of personal information is done in a lawful manner. The Information Officer may also appoint (in writing) as many Deputy Information Officers as necessary.

Logical controls mean the authentication and authorisation of users to a company system or program. Logical access controls use advanced password programs and advanced biometric security features. These features identify the employee. The system then determines whether the employee has appropriate authorization to access data.

Personal information may only be processed, if the purpose for which it is processed is:

1. Adequate
2. Relevant
3. Not excessive

Physical controls means the restriction of access to a physical space within the company. This type of access control limits access to rooms or buildings and may include server rooms. In addition, physical access control keeps track of who is coming and going in high risk areas.

Retention periods are different for any data that a company collects.

It is vital that a Retention and Destruction Policy and Procedure be implemented in your business to document these periods.