The rapid introduction of global and local data protection regulations over the past five years has narrowed the chasm between privacy and information security.

By Imraan Kharwa, data protection officer at Infobip

Where these were historically seen as discrete disciplines, privacy laws have stepped in and bridged the divide by mandating that organisations implement “adequate, reasonable organisational and technical measures” to give effect to data protection obligations.

In practice, this means that privacy and information security teams are now linked in their purpose and mission to ensure that personal data is adequately protected and that organisations remain in compliance with applicable data protection regulations.

In a traditional, siloed environment, organisations often lack a granular understanding of the people, policies and processes needed to give effect to their data protection obligations and tend to implement information security controls in an ad hoc manner, depending on the organisations risk appetite, budget and general level of awareness. In many cases, this type of security deployment can result in misalignment to existing and emerging threats and may culminate in the organisation falling victim to preventable privacy threats.

We are, however seeing a shift, with the Chief Information Security Officer (CISO) community increasingly pushing back against traditional organisational structures, saying: “We can manage this process, but you need to tell me exactly what I should be protecting. What is the classification that is required and what information is most important?” If privacy has become a business imperative, then information security is an existential risk that has to be managed at the highest possible levels by the right stakeholders.

 

Smaller companies continue to struggle

On the ground, it is clear that larger organisations with significant information security budgets are already investing in data management and proper governance strategies. Mid-tier and smaller customers, however, may struggle to meet their obligations without adequate visibility of critical data and alignment with applicable regulatory frameworks.

The question remains: how can organisations be resilient when they don’t know what data they are protecting?

In South Africa, achieving data protection compliance has not been a simple matter. The country has transitioned from minimal data privacy requirements to the stringent obligations of POPIA overnight; a wakeup call to many organisations to kick start their privacy programmes.

Data security experts recommend that organisations adopt a risk-based approach to determine where their high-effort compliance areas are. Those that have already started implementing data governance and data security processes should already have many of the measures in place to meet data privacy requirements.

POPIA stipulates that organisations’ implement “appropriate, reasonable technical and organisational measures in securing personal information”. This defines how organisations are required to secure the confidentiality, integrity and availability of their data.

Organisations must ensure a multidisciplinary team works together at all stages of developing data privacy and information security controls. There is a significant level of effort involved in

complying with and understanding where the data resides, including performing data discovery exercises and de-identification exercises

 

Not automatically in breach

POPIA expects organisations to identify all reasonable and foreseeable risks to personal data – both internally and externally, while continually updating their organisational and technical safeguards. When a breach occurs, it does not automatically mean that a company is in breach of the legal requirements for data protection, as the standard that these controls will be measured against is whether they were “appropriate and reasonable” for the organisation

That said, organisations must be able to demonstrate that they are conducting their risk assessments and continually monitoring and verifying their safeguards, as well as maintaining and updating them, in alignment with the evolving risk landscape.

In order to mitigate against data breaches, organisations must ensure that they have robust privacy and information security training programmes in place, which remains one of the foundational aspects of any compliance programme. Doing so demonstrates the organisation’s commitment to compliance.

Additionally, third party risk remains a factor that organisations must be cognisant of. One of the biggest challenges remains the ability to identify the right vendor to provide data protection and information security services. This can be a tough decision, considering that the market is awash with countless contenders peddling solutions from all over the world, with varying degrees of credibility.

At a foundational level, organisations must develop a comprehensive understanding of their own environment, business, and data, before seeking a suitable partner to help enhance its data privacy and information security efforts.