The importance of data management has increased considerably in recent years due to the advances in big data mining and the benefits it offers businesses. The nature of data management is again undergoing substantial changes, due to the introduction of the Protection of Personal Information (POPI) Act.
Workforce solutions provider Manpower South Africa’s MD, Lyndy van den Barselaar, explores what this act means for IT departments within South African businesses.
Although the aspects of the Act that apply to companies are not yet in effect, the envisaged 12-month period between enactment and compliance is relatively short, and companies are advised to start their journeys towards compliance as early as possible. While the Act will provide consumers with peace of mind, the obligations placed on business are quite weighty.
The personal data of clients and potential clients offers substantial value to companies in terms of how to target them. The more extensive the available information concerning each individual, the more trends can be identified to help inform the business’ marketing strategies.
However, personal data has great power and can also be used to the detriment of the individual, which is why the POPI act introduces data management legislation that all companies that process personal information have to adhere to.
These principles include making the consumer aware of the purposes for which any personal information will be used, and destroying the data after this purpose is achieved. The onus is also on companies that deal with this data to ensure that the correct safety measures are in place to keep the data confidential and unaltered.
The Act also guarantees control of the data by the consumer. If the consumer requests an update or deletion of personal information when the data is no longer relevant, the company has to comply with this wish.
“The legislation means that companies that deal with personal information do not only have to invest in the best possible security systems and processes, they also need to ensure that the IT staff members they employ have the necessary skills sets to work with these systems,” says van den Barselaar. “Equally important is to ensure that these employees can be trusted, especially with regards to the level of information they are exposed to, as the POPI act makes a distinction between personal information and special personal information. The latter includes more sensitive information such as race, religion, criminal records, and medical history. These are subject to higher security standards. Companies therefore need to ensure that different tiers of data are subject to different tiers of security.
“In all likelihood, specialist IT positions will be created in larger companies to deal specifically with POPI compliance. New titles such as privacy officers are already beginning to surface,” she explains.
Managers in charge of data storage need to look at the act carefully to ensure that standard practices, some of which may have been in place for many years, do not violate the act.
“For instance, many companies hold data for a set number of years before destroying it. However, the POPI act instructs companies to get rid of data once it has served the purpose for which it was collected,” highlights van den Barselaar. Businesses need to ensure that they keep all the legal intricacies of the Act in mind when dealing with data. For instance, when a contract with a client comes to an end, it is advisable to keep the data on file for a number of years, in the event of a dispute. But after this period, the data has to be destroyed in a manner that makes it irretrievable.
“Companies may also want to look closer to home in terms of website hosting and compliant software,” she says. “Local software producers and IT practitioners know the provisions of the Act and can be better positioned to ensure compliance.
In conclusion, van den Barselaar says the importance of the security of this data cannot be underestimated, and not only to the consumer. “Hackers have shown how inventive they are when it comes to accessing personal information. When a company’s database is hacked and this information is made available online, the brand image and trust of that company are easily destroyed.”