Latest
New NGO jobs posted daily — browse the latest vacancies NGO Pulse Plus: manage your organisation's profile, ads and funding Funding opportunities updated weekly for South African nonprofits Post a job in minutes — reach thousands of nonprofit professionals Find your next NGO role today — search our job board Advertise your organisation's opportunities to the sector Stay updated with the latest news and funding alerts Connect with NGOs and nonprofits across South Africa New NGO jobs posted daily — browse the latest vacancies NGO Pulse Plus: manage your organisation's profile, ads and funding Funding opportunities updated weekly for South African nonprofits Post a job in minutes — reach thousands of nonprofit professionals Find your next NGO role today — search our job board Advertise your organisation's opportunities to the sector Stay updated with the latest news and funding alerts Connect with NGOs and nonprofits across South Africa
Home / News / Articles / POPIA insists on total enterprise asset...

POPIA insists on total enterprise asset management

24 Oct 2025 · 4 min read · 1,201 views
POPIA insists on total enterprise asset management

verburdened security professionals often dismiss enterprise asset management (EAM). But the recent extension of Protection of Personal Information Act (POPIA) regulations to include the loss or theft of devices exposes organisations to what could be a very expensive compliance headache

verburdened security professionals often dismiss enterprise asset management (EAM). But the recent extension of Protection of Personal Information Act (POPIA) regulations to include the loss or theft of devices exposes organisations to what could be a very expensive compliance headache.

The main challenge is not a lack of awareness about the importance of security, but rather a misalignment of priorities within security teams. Security leaders and their teams already have a host of dashboards they are monitoring and they are overwhelmed. If you raise EAM with them, there is a perception that this involves more work.

The focus at many organisations tends to be on high-profile security controls, while the less glamorous but essential task of asset data integrity is relegated to the background.This oversight is not without consequence. According to IBM, the average cost of a data breach in SA reached R44.1 million in 2025, rising to R70.2 million in the financial sector, demonstrating the multimillion-rand consequences of compliance failure.

Prime targets

Companies can’t protect what they do not track and monitor, and EAM plays a fundamental role in any security strategy. The proliferation of devices, cloud services and applications, often acquired outside official procurement channels, has made manual asset management unfeasible.As a result, shadow IT and untracked devices can easily slip through the cracks, creating blind spots that attackers are all too ready to exploit.

Shadow IT represents a significant risk. Unmonitored devices like personal devices connected to networks, unmanaged hardware and ghost devices create risks of data exfiltration.Unauthorised software and apps, especially GenAI applications like ChatGPT, also greatly expand an organisation’s attack surface, making it challenging for IT teams to track all digital assets, with data leaks, breaches and regulatory violations going unnoticed.These devices can also lead to duplicated software licences, tool sprawl and hidden costs, making IT budgeting inefficient and forcing IT teams to manage fragmented systems. This will impact incident response, asset tracking and consistent policy enforcement.

Better oversight

Just like the European Union’s General Data Protection Regulation (GDPR), South Africa’s POPIA requires organisations to ensure data security throughout the asset lifecycle.The regulator requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent unauthorised access or security compromises, which includes risks from old or discarded devices.And, just as with the GDPR, when it comes to data breaches, POPIA makes provision for fines and even jail time for those responsible for data leaks.However, many organisations aren’t aware of recent changes.

The 2025 amended regulations have been extended to include stolen and lost devices within the scope of ‘security compromise’. This means that the loss or theft of physical devices such as laptops, mobile phones, USB drives, or other equipment containing personal information now constitutes a reportable data breach.
Businesses must now treat the loss or theft of IT equipment as a security compromise, requiring immediate reporting to the Information Regulator and notification to affected data subjects.

This expanded definition makes the need to protect both electronic and physical forms of data exposure all the more urgent.The consequences of non-compliance could be severe. In the event of a data breach, organisations are expected to quickly identify which assets were affected, what data was exposed, and how the incident occurred. This is only possible with a robust EAM system in place.If companies don't have a complete and accurate asset register of all devices, services, apps and databases, they can never know which asset was affected and they can't map owners and data types to it.

READ MORE: https://www.itweb.co.za/article/popia-insists-on-total-enterprise-asset-management/LPwQ57lbKl4qNgkj



📬
Stay in the Loop
Get the latest NGO sector news, jobs and funding opportunities delivered weekly.
Subscribe to Newsletter