South African enterprises are taking data protection and governance seriously and are actively moving to implement governance best practice.
Paul Williams, country manager: southern Africa at Fortinet, says South African enterprises, particularly those in the financial services and health sectors, are already on track to meet the requirements of the POPI Act.

What does ‘data governance’ mean?
“Data governance covers the management and protection of data across the entire ecosystem – from data collection, to its movement through networks, to storage and the eventual destruction of data. Poor management at any stage – for example in emails between colleagues within the organisation – could result in leaks. Local CIOs, CISOs, risk managers and legal specialists are well aware of these risks and are taking measures to secure their valuable data at every stage of the data lifecycle.”
Williams notes that data flowing ‘North-South’ (in and out of the enterprise) is not the only area that requires focus. “East-West data flow must also be protected and controlled,” he says. “For example, when data moves between servers within an organisation, it could be at risk if a malware has been introduced somewhere within the network. Employees collaborating on shared documents or emailing copies of information to each other could also put data at risk without effective protection and governance rules in place.”

What are the primary elements of a data governance strategy?
Effective data governance begins with a full audit of how data moves through the organisation, the categorisation of data by levels of security required and the setting of clear rules about access rights within the organisation, this will vary in different business verticals and the type of data sets in their business, this is known as DLP – Data Loss prevention, says Williams.
“To be truly effective, the data entering and leaving the organisation must be carefully monitored and authentication and permissions must be managed. The organisation must govern who is accessing the data, using what device to do so and which content they are accessing. It comes down to the micro-management and inspection of the data,” he says.
The data governance strategy must encompass all data, he notes. “This includes basic operational and administrative data that could reveal the corporate strategy; and the keystrokes, screens and voice call records gathered by the company contact centre.”
Williams says shortfalls still exist around identity and device management, defining the profiles and rights of users, and management of contact centre data. “But enterprises are starting to look more closely at these risk areas and we expect POPI to spell out measures to be taken under endpoint protection regulations,” he says.

Why is or will data governance be important to PoPI compliance once the legislation is in effect in 2018?
Data governance should not wait until 2018, says Williams. “Personal information and important enterprise IP data is constantly at risk and companies stand to incur serious losses and reputational damage, should their data be compromised or stolen. Once POPI comes into effect, they face the additional risk of prosecution and hefty fines which will also spell out market reputation.
“Any company that has not yet done so must start taking the bull by the horns and adapt to the POPI model which is a “Frame Work”. In this frame work each business vertical can adapt their data and corporate governance accordingly. They need to start understanding the Act and take a closer look at their existing data governance, data flow and how effectively they are managing, storing and securing the data,” he says.