As local businesses wait for the Protection of Personal Information Bill (POPI) to officially be signed into law, Iain Wadds, regional pre-sales manager of SecureData Africa, believes many organisations are not doing enough to prepare for the far-reaching consequences that POPI will bring.
“Although organisations accept that POPI is inevitable, many seem to be opting for a reactive as opposed to a pro-active approach when it comes to implementing the necessary measures, in terms of how data relating to personal information is collected, used, stored, disseminated, modified or destroyed.
“Data security is typically driven by compliance and the fear of the bad PR that will come from a data breach. However, due to the fact that locally we’ve not had any laws around protection of personal data yet, this is perhaps the main reason behind the current lack of urgency among organisations to implement security measures as well as the general complacency among end-users,” he comments.
With an implementation lead period of a year, Wadds believes organisations are underestimating the size of the challenge. “The fact remains that any party processing personal data is accountable for compliance and ensuring it is processed correctly and not transferred to another party to process on their behalf that could infringe on privacy.
“Naturally companies with large client databases, particularly those in the healthcare, finance and insurance sectors, will be most affected in terms of relooking their current data processing, however, even smaller companies with no official client or supplier databases will have some personal information on file.
“For instance nearly every company keeps the personal details of their staff on file which inevitably includes contact details, demographic information, and employment history. Therefore the current apathy among most organisations when it comes to POPI is in my opinion, misplaced,” he emphasises.
For Wadds, people and process come first, with technical controls secondary.
“First and foremost organisations need to go through the process of discovering, understanding and classifying their data and then based on that, implement the relevant technical controls. If data policies are not realistic and workable, there is a strong likelihood that the technical controls will be impractical or insufficient,” he adds.
When it comes to the benefits of POPI, Wadds says that while investment in data security measures will probably remain a grudge purchase for many organisations, he is confident that it will do much to promote much needed transparency regarding what information is collected, thereby promoting increased customer confidence in local organisations.
“POPI compliance involves capturing the minimum required data, ensuring accuracy, and correctly destroying data that is no longer required. These measures are likely to improve the overall reliability of an organisation’s database. In addition, to be compliant organisations will be required to both identify personal information and take reasonable measures to protect the data.
“This will likely greatly reduce the risk of data breaches and the associated financial and reputational ramifications for local organisations,” he concludes.