On 1 July, every South African’s inbox was flooded with emails from multiple businesses around compliance with the Protection of Personal Information Act (PoPIA).
By Simeon Tassev, MD and QSA at Galix
The reality though is that compliance with PoPIA is about so much more than simply giving people the opportunity to opt out of marketing emails. Both PoPIA and the General Data Protection Regulation (GDPR), which applies when local businesses work with companies based in the EU, require that businesses understand their data and who can access it.
This is often a challenge and a stumbling point, and while there are technologies available to assist, it is the processes around data management and data security that are the key.
No blanket approach to compliance
Compliance with PoPIA, GDPR and other legislation around data privacy is not a tick box exercise. There is no ‘one size fits all’ approach, and in order to achieve compliance, businesses need to have a clear understanding of the PoPIA requirements and what is relevant to them.
The biggest challenge many businesses experience is they do not know what data they have, where it is or what it means to the business. This in turn makes it impossible to effectively control access on a meaningful level. Data management is thus essential, not only for security purposes, but also compliance.
Don’t wait and see
Many businesses have adopted a “wait and see” approach under the mistaken belief that the Act will not be effectively enforced. However, the financial penalties associated with non-compliance of PoPIA are severe, and no organisation should risk this outcome.
Aside from that, the reputational damage associated with a data breach can have even more devastating consequences that may be more far-reaching than a monetary fine. Organisations need to understand the potential business impact of data privacy requirements on their business and mitigate the risk as much as possible.
Steps to compliance
While there is no checklist for compliance as such, there are certain steps businesses should take to ensure their data is managed and protected in line with data privacy requirements. Not only is this imperative for compliance, but it is also sound business practice.
It is imperative to focus on formally defining and documenting processes in such a way that if there are any gaps, they can be identified. It is also important to introduce additional checks and controls, as well as operational reviews, to ensure people have the right access at the appropriate level to enable them to do their job without compromising data security.
What every business should have
To ensure compliance as well as sound data management and security practices, there are certain elements every business needs. This includes an organisational structure with clearly assigned roles and responsibilities and an inventory of systems and data locations.
This is critical to identifying sensitive information in scope for PoPIA and implementing clear data retention policies.
Organisations need to have comprehensive policies and controls to ensure that sensitive information is only accessed and used for the designated purpose by the people with the relevant job role. Finally, they need policies and procedures to deal with any information requests or incidents as specified by PoPIA.
While there are tools available to assist, it all comes down to having the right processes in place around data management and security. Tools will simply augment this and provide checks to ensure adherence. The benefit, aside from facilitating compliance, is that data management also reduces all aspects of cyber risk. Managing risk is critical to surviving in the ‘new normal’, and data management and the right processes are at the heart of this.