Johannesburg, 14 Dec 2017
The digital world is your oyster. Today it is not only feasible to reach beyond the natural borders of countries, but encouraged. Having customers abroad has never been easier. Likewise, taking advantage of pricing in different territories is a modern source of cost-saving and efficiency that every organisation should consider.
But the world has also witnessed a rising tide of concern over data, specifically where it resides and who has access to it. This is most pertinent when it concerns personal information, which is why a wave of data regulations have started to come into play across the globe. As a business you want to know you can safely and legally transfer data to different sovereign regions, which is why many new regulations are being introduced. We now face behaviour-centric risks ranging from the common user error that turns an e-mail lure into a ransomware debacle, to sporadic, anomalous activities that, once presented in context, can be the breadcrumbs leading to the early stages of a malicious insider threat. In a world where malware is continually evolving, critical data is moving to the cloud and criminals are exploring new vectors of attack, how can security professionals stay up to date with, and keep ahead of, changes in the industry?
"Many companies still think you aren't allowed to move personal data outside of South Africa's borders," said Christo van Staden, Forcepoint's Regional Manager for sub-Saharan Africa. "That is not true, but only if the right regulations are in place. For example, you can put the information of South Africans on European servers, but only because Europe's regulations meet the requirements of South African laws. It goes the other way too: European businesses cannot transact data with South Africa if we didn't have regulations such as POPI."
POPI, or the Protection of Personal Information Act, is a groundbreaking law that aims to both protect South African individuals as well as enable companies to safely manage personal data across multiple jurisdictions. It is based on the framework of the EU's GDPR, or General Data Protection Regulation.
Older data laws were far too fractured to give any clear assurances to people and companies, said Hogan Lovells partner, Eduardo Ustaran, adding that the many laws "looked like a twisted network of paths going in different directions. It was clear the commission tried to go from that to a unique set of rules. And that is certainly a positive outcome."
Complying with GDPR enables companies to do business with European individuals and companies, as well as store data on European servers. But since GDPR is a framework that policymakers in other jurisdictions can use, legislation such as POPI is very similar. In fact, complying with GDPR usually ensures POPI compliance as well, said IT law consultant Professor David Taylor: "If your business data is going to or coming from an EU country, you have to comply with GDPR, so it makes sense to comply with that standard as by doing so, you'll be covered for POPI too."
This comes to a head in 2018. GDPR is set to be enacted by the middle of the year, and while POPI's implementation date is not set, it will happen before December 2018. Once in place, these regulations will open doors, but also enact harsh penalties for negligent or irresponsible behaviour around data storage, including harsh fines and even jail time for executives. Smart companies will see this not just through the compliance lens but as a feature of their security policy. Some CISOs will pivot towards mitigation rather than detection or protection, and will implement improvements to controls and response to better ready their business for the GDPR deadline.
However, as the GDPR's May 25 deadline approaches, panic will ensue as the majority of procrastinators realise that GDPR compliance requires more than they anticipated, and will overcorrect by applying policies that stifle business processes. We will see many organisations undergo CISO reshuffles as these individuals realise they are unprepared and seek other roles to avoid internal criticism.
"The two go hand in hand," said Van Staden. "If you meet GDPR, you will meet POPI. More crucially, you will enable your enterprise to do business with Europe and territories, who, like South Africa, used GDPR as their regulation blueprint, and they will be able to do business with you."
For South African companies, POPI compliance is not negotiable. But it doesn't need to be a painful process. This new family of regulations aim to create a better, faster and more reliable global business environment where data can flow as freely and securely as products and profits. It's a building block for 21st Century enterprises.
Share