The Covid-19 pandemic created somewhat of a perfect storm when it comes to data protection.
By Sonja Weber, lead delivery solution manager at T-Systems South Africa
On the one hand, businesses were forced to stop their investment into major projects to manage the operational challenges they faced. They also needed to quickly cater to a remote workforce, which introduces vulnerabilities of its own, especially if not well planned.
On the other hand, cyber criminals recognised the lack of focus around governance and security, as well as the opportunity to sell data to desperate businesses, and the number of malicious attacks skyrocketed.
Adding to the complexity, during the crisis, the Protection of Personal Information Act (PoPIA) came into enforceable effect. This means, despite tight budgets and reduced capacity for new projects, businesses in South African simply cannot afford to take it lightly anymore. With this cluster of issues surrounding data protection and data management, governance needs to be a top priority going forward, especially as businesses adopt multi-cloud and hybrid cloud strategies.
Strategy is key to governance success
With a multitude of factors contributing to a growing data governance challenge, having the right strategy in place is critical, particularly as businesses move more of their data into the cloud. There are three factors to consider around a data governance strategy.
Firstly, it is essential to conduct a proper personal information impact assessment across a business. This is important so that an understanding is created of what data a company possesses and how it is processed, as well as what technology and processes will be required to support compliance, monitoring and continuous improvement initiatives. It is also critical to ensure that organisations know what needs to be done to ensure compliance with legislation such as PoPIA.
Secondly, governance certifications need to be in place, including ISO27001, which covers information and cyber security as well as governance requirements. Finally, adopting best practice guidelines such as King IV can help to guide infrastructure and governance structures.
The first step is always to understand the status of an organisation. Often, compliance is less of a technology conversation and more about people and process, but without a foundational understanding it is impossible to create the awareness required.
Accountability is always yours, even in the cloud
Many businesses have not yet comprehended that the top-level executives like the CIO or the MD can and will be held personally liable for data breaches under PoPIA. This includes fines and prison sentences. Even when moving to the cloud or multi-cloud platforms, businesses cannot absolve themselves of responsibility. The ultimate accountability for data always remains with the business and its executive.
When signing with new service providers, including cloud providers, it is imperative to incorporate PoPIA compliance elements. The contract needs to explicitly state that the service provider will inform the business in the event of a data breach. All existing contracts also need to be reviewed to ensure this is in place, otherwise businesses have zero recourse should a breach occur.
It is also imperative, for compliance reasons and good business practice, to be able to monitor and report on governance processes. This includes the ability to audit service providers, which many providers do not permit.
Effective partnerships help to mitigate risk
While PoPIA is now in effect for the most part, it remains unclear in certain instances. When it comes to governance, the European Union’s General Data Protection Regulation (GDPR) covers everything PoPIA does and more, in a much more defined fashion, making it a more useful yardstick for businesses. Multi cloud strategies and other technology and service initiatives need to be reviewed for compliance, using GDPR as the measure.
Organisations should look for a service provider that provides the right blend of cloud certifications, compliance with GDPR regulations and the ability to permit external audits, to ensure risk is effectively mitigated.