Cloud computing, the shift to digital experiences, and connected sensors have made it possible for companies to collect and process vast amounts of data around consumers – often to their benefit. For many companies, data is their most valuable asset.
By Charl Venter, practice lead for infrastructure-as-a-service at Altron Systems Integration
It is also an increasingly vulnerable asset, which requires particular care. Stolen user credentials were the most common cause of data breaches this year, and personal information (including email addresses and passwords) were exposed in 44% of data breaches, according to an IBM report.
This highlights the need not only for effective security, but also for appropriate data governance to reduce the risks for consumers as well as organisations entrusted with their data.
Now, with privacy a rising concern, legislation such as the Protection of Personal Information Act (POPIA) ensures consumers can decide where, when, and with whom to share their data. Consumers now have the right to request reports on how their data is being stored and used, and to demand that companies destroy their data when needed.
Organisations who receive such a request must prove that this data is being stored appropriately, or that they do not hold the data. This applies not only to large businesses, but to all entities, including NGOs, schools, and start-ups.
POPIA’s definition of protected information is wide-ranging. It includes:
* Race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth.
* Education, medical issues, finances and employment history and any criminal record.
* Identifiers such as email addresses, physical address, telephone number, location, and social media accounts.
* Biometric information.
* Personal opinions, views and preferences.
* Private correspondence.
* Another person’s views about that person.
* The person’s name if used in conjunction with other personal information.
If you or your organisation is found to be non-compliant with POPIA, you could face imprisonment of up to 10 years or a fine of up to R10-million. In determining the penalty, factors under consideration would include the nature of the personal information involved, the severity of the contravention, the number of people affected, whether the contravention could have been prevented, whether a risk assessment was carried out and whether appropriate policies, procedures and practices were implemented.
Any individual whose data was collected may institute an action for damages against the party responsible, regardless of whether the non-compliance was negligent or intentional.
This presents a fundamental challenge to organisations throughout South Africa. They need to adapt their own processes to track the data they are collecting and put appropriate safeguards in place. With new data constantly being collected, compliance can be more difficult than businesses expect. The right systems and processes are critical in maintaining compliance.
As a first step, organisations must appoint an information officer (usually the CEO or managing director) and at least one deputy information officer. They should then conduct a gap analysis to determine current compliance and assess what additional policies and processes are needed. This should also include a review of the type of information currently collected, the process for gaining consent, and how consent information is stored.
Data governance systems are essential in supporting POPIA compliance within organisations. More traditional, on-premise systems are expensive and time-consuming to set up. However, cloud-based tools such as Scout, powered by Altron Systems Integration and NetApp, can be set up quickly and cost-effectively. It is affordable for even the smallest organisations as costing depends on the amount of data held.