Data privacy is critical
The importance of keeping customers' personal information safe has never been greater. Maintaining it on-premises - and behind a range of security measures - should keep you in line with the POPI Act.
The recent Cambridge Analytica and Facebook data scandal has once again highlighted how important data privacy is. Cambridge Analytica was able to harvest data from 50 million Facebook users, pulling data not only from people who took the quiz from which information was gleaned, but also from their friends' profiles, using this data to build psychological profiles and then deploying this information in political campaigns, all without the users' knowledge or consent.
This should sound a warning to individuals and organisations about how critical data privacy and security needs to be in today's digital world, says Andy Hilton, CEO of SafriCloud. He points out that if a company of Facebook's status and reputation can allow a situation like this to happen, people should always question why a company wants their personal information, what it is doing with it and what processes it has in place to protect it.
"The good news is that government is also aware of this requirement, which is why here in South Africa the Protection of Personal Information (POPI) Act focuses on ensuring the security of people's personal data. In a similar manner, the General Data Protection Regulation (GDPR) is very strict in terms of the consequences businesses will face for breaking the rules in Europe. Companies from there that have offices in South Africa will, therefore, be accountable to the GDPR lawmakers," he says.
"The POPI Act effectively says that if an organisation gathers, processes or stores personal information, it is subject to the provisions of the Act. This takes into account everyone from social media platforms to enterprises that require specific personal details as part of their daily operations, such as banks, service providers and retailers."
Ultimately, explains Hilton, personal information is provided by the owner for a particular reason and, as such, should only be utilised by a business within those ambits. The information is provided because the user wants to open an account, take out a cellphone contract or, in the case of social media, simply comment on something. If a company then takes that information and starts to mine it, it is effectively processing that data, which immediately brings it into conflict with POPI rules.
"It is also vital to remember that a key aspect of this legislation is that even those who require our data should not store it for longer than is necessary. In addition, the purpose of processing the data must be clearly defined, and in a situation where telemarketers, for example, gain access to this information, the user must have given their consent for it to be used.
"This is not to say that there are not instances where third parties may require access to stored personal information, a good example is data warehouses, which can provide a car dealership with a potential customer's latest credit rating, but the organisation requiring the information should only be able to access it on a pay-per-use basis. Also, it is crucial that they are very clear on the reason they need the data and exactly what they are going to do with it. Just as critical is the fact that they are not allowed to take the data off-site," he adds.
One of the best ways for an organisation to ensure its customer data remains secure is to ensure this information never leaves the premises and remains on its own servers. After all, points out Hilton, this is the only place where a company can be assured that all the right security measures are in place. This includes everything from firewalls and anti-virus solutions to encryption and protection against anyone copying such information onto a moveable device.
"In an instance where a third party genuinely requires the use of customer data, by keeping it secured in your own, on-premises servers and creating a clear audit trail for its use, it becomes much easier to keep track of the information. Thus, if it is utilised for something other than what it was requested for, it becomes a simple matter to identify and take action against the guilty party."
"POPI is not going to go away and, though it has yet to be promulgated, it is important that individuals and businesses familiarise themselves with the Act, so they are well aware of their rights and how they and their private information is protected by this legislation and what action can be taken if it is misused."
"The recognition of the importance of data privacy and the need for better information security is long overdue, for too long, this arena has been a bit like the American wild west in its lawlessness. Fortunately, with the coming of specific information privacy laws like POPI, you could say the sheriff has finally arrived in town, and lawbreakers will now get severely punished for their transgressions," he concludes.