POPIA insists on total enterprise asset management
verburdened security professionals often dismiss enterprise asset management (EAM). But the recent extension of Protection of Personal Information Act (POPIA) regulations to include the loss or theft of devices exposes organisations to what could be a very expensive compliance headache
verburdened security professionals often dismiss enterprise asset management (EAM). But the recent extension of Protection of Personal Information Act (POPIA) regulations to include the loss or theft of devices exposes organisations to what could be a very expensive compliance headache.
The main challenge is not a lack of awareness about the importance of security, but rather a misalignment of priorities within security teams. Security leaders and their teams already have a host of dashboards they are monitoring and they are overwhelmed. If you raise EAM with them, there is a perception that this involves more work.
The focus at many organisations tends to be on high-profile security controls, while the less glamorous but essential task of asset data integrity is relegated to the background.This oversight is not without consequence. According to IBM, the average cost of a data breach in SA reached R44.1 million in 2025, rising to R70.2 million in the financial sector, demonstrating the multimillion-rand consequences of compliance failure.
Companies can’t protect what they do not track and monitor, and EAM plays a fundamental role in any security strategy. The proliferation of devices, cloud services and applications, often acquired outside official procurement channels, has made manual asset management unfeasible.As a result, shadow IT and untracked devices can easily slip through the cracks, creating blind spots that attackers are all too ready to exploit.
Shadow IT represents a significant risk. Unmonitored devices like personal devices connected to networks, unmanaged hardware and ghost devices create risks of data exfiltration.Unauthorised software and apps, especially GenAI applications like ChatGPT, also greatly expand an organisation’s attack surface, making it challenging for IT teams to track all digital assets, with data leaks, breaches and regulatory violations going unnoticed.These devices can also lead to duplicated software licences, tool sprawl and hidden costs, making IT budgeting inefficient and forcing IT teams to manage fragmented systems. This will impact incident response, asset tracking and consistent policy enforcement.
Just like the European Union’s General Data Protection Regulation (GDPR), South Africa’s POPIA requires organisations to ensure data security throughout the asset lifecycle.The regulator requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent unauthorised access or security compromises, which includes risks from old or discarded devices.And, just as with the GDPR, when it comes to data breaches, POPIA makes provision for fines and even jail time for those responsible for data leaks.However, many organisations aren’t aware of recent changes.
The 2025 amended regulations have been extended to include stolen and lost devices within the scope of ‘security compromise’. This means that the loss or theft of physical devices such as laptops, mobile phones, USB drives, or other equipment containing personal information now constitutes a reportable data breach.Businesses must now treat the loss or theft of IT equipment as a security compromise, requiring immediate reporting to the Information Regulator and notification to affected data subjects.
This expanded definition makes the need to protect both electronic and physical forms of data exposure all the more urgent.The consequences of non-compliance could be severe. In the event of a data breach, organisations are expected to quickly identify which assets were affected, what data was exposed, and how the incident occurred. This is only possible with a robust EAM system in place.If companies don't have a complete and accurate asset register of all devices, services, apps and databases, they can never know which asset was affected and they can't map owners and data types to it.
READ MORE: https://www.itweb.co.za/article/popia-insists-on-total-enterprise-asset-management/LPwQ57lbKl4qNgkj
The main challenge is not a lack of awareness about the importance of security, but rather a misalignment of priorities within security teams. Security leaders and their teams already have a host of dashboards they are monitoring and they are overwhelmed. If you raise EAM with them, there is a perception that this involves more work.
The focus at many organisations tends to be on high-profile security controls, while the less glamorous but essential task of asset data integrity is relegated to the background.This oversight is not without consequence. According to IBM, the average cost of a data breach in SA reached R44.1 million in 2025, rising to R70.2 million in the financial sector, demonstrating the multimillion-rand consequences of compliance failure.
Prime targets
Shadow IT represents a significant risk. Unmonitored devices like personal devices connected to networks, unmanaged hardware and ghost devices create risks of data exfiltration.Unauthorised software and apps, especially GenAI applications like ChatGPT, also greatly expand an organisation’s attack surface, making it challenging for IT teams to track all digital assets, with data leaks, breaches and regulatory violations going unnoticed.These devices can also lead to duplicated software licences, tool sprawl and hidden costs, making IT budgeting inefficient and forcing IT teams to manage fragmented systems. This will impact incident response, asset tracking and consistent policy enforcement.
Better oversight
The 2025 amended regulations have been extended to include stolen and lost devices within the scope of ‘security compromise’. This means that the loss or theft of physical devices such as laptops, mobile phones, USB drives, or other equipment containing personal information now constitutes a reportable data breach.Businesses must now treat the loss or theft of IT equipment as a security compromise, requiring immediate reporting to the Information Regulator and notification to affected data subjects.
This expanded definition makes the need to protect both electronic and physical forms of data exposure all the more urgent.The consequences of non-compliance could be severe. In the event of a data breach, organisations are expected to quickly identify which assets were affected, what data was exposed, and how the incident occurred. This is only possible with a robust EAM system in place.If companies don't have a complete and accurate asset register of all devices, services, apps and databases, they can never know which asset was affected and they can't map owners and data types to it.
READ MORE: https://www.itweb.co.za/article/popia-insists-on-total-enterprise-asset-management/LPwQ57lbKl4qNgkj