The Protection of Personal Information Act (PoPIA) sent many businesses scrambling as it was supposed to come into effect in July, and inboxes were therefore flooded with opt-in or unsubscribe options ‘for compliance purposes’.

By Iniel Dreyer, MD at Data Management Professionals South Africa

The reality though is that compliance is not a straightforward, tick-box exercise, and it involves a lot more than simply getting people’s permission to email them. Compliance is complex, because data is complex, and the guidelines of the Act are open to various interpretations.

The majority of businesses simply do not have the skills or resources in-house to successfully identify relevant data, which makes Compliance as a Service (CaaS) the ideal solution.

Do you know your data?

PoPIA revolves around data protection and data privacy, but many businesses do not know what data they have, where it is located, what it contains, and even why they have it at all. This is complicated enough to comprehend in structured data sources.

But, when you add in the challenge of unstructured data and the myriad of data sources from the cloud to servers, infrastructure, social media, connected devices and more, it can become overwhelming. The fact that data is constantly changing and moving only adds to this complexity.

One of the provisions of PoPIA specifies that it is not permitted to keep data indefinitely. It is thus imperative to have a data lifecycle and defensible deletion strategy. Compliance first and foremost requires businesses to understand whether they are storing the right information in the right place for the right reasons.

Where is your data? What does it contain? Is it still relevant to your business? If an individual invokes their ‘right to be forgotten’, can this actually be done, and can you prove it? Without knowing the answers to these questions, compliance is impossible.

The cost of non-compliance

Non-compliance with PoPIA carries the threat of hefty financial penalties and potential jail time. There is also a massive cost associated with an indiscriminate data retention strategy, because storage costs money and without an understanding of data, the storage footprint will soon spiral out of control.

Beyond that, however, the cost of lost productivity and reputational damage is arguably even greater. In an effort to control storage costs, businesses may be tempted to make use of old storage infrastructure beyond its lifespan.

This can have a detrimental effect on performance, and can also leave storage vulnerable to ransomware attacks. The reputational risk of a data breach, and the cost of data leakage, can be even more extreme.

Cost-effective compliance

There are systems and software available to assist businesses with achieving the necessary level of data management, however, they can be costly and complex to implement. The skills required to do so are also often scarce, and the majority of businesses do not have the resources in-house to effectively manage data identification for compliance initiatives.

CaaS offers the ideal solution through a cost-effective operating expenses (OPEX) model to ensure businesses are able to manage data in line with data privacy regulations. CaaS offers access to leading enterprise technology combined with data management expertise as a monthly operational expense.

Through this service, the service provider will work with your business to identify Personally Identifiable Information (PII) within unstructured data across production, backup systems, on-premises and across clouds. This includes South African-specific PII such as ID numbers and credit card numbers.

In addition, CaaS improves the security and management of sensitive information within your organisation and prevents undesirable exposure of your data, and enables businesses to rapidly respond to eDiscovery or compliance requests. Reporting is included, along with workflows to review, audit and report on compliance initiatives in regards data identification, which is essential for proving compliance should an incident occur.

Not just about compliance

Data is a critical business asset, and beyond the requirement for compliance, there are significant business benefits to be obtained through greater insight and understanding of the contents of your data.

Not only does it assist with more effective decision-making, it enables optimal retention and storage strategies to be developed, which can in turn help to reduce storage footprint and associated cost.

Data management, for compliance and for other purposes, is not a once-off exercise, but an ongoing process and a cycle that needs to be followed, enhanced, monitored and maintained on a continual basis.

Having a plan is critical, particularly around what compliance means to your organisation and how this will be achieved through data identification. CaaS will help businesses handle these challenges and mitigate the risks associated with non-compliance.