Digital transformation: What does it mean for compliance?
Being compliant means portraying good governance within your organisation, and that starts with understanding fit-for-purpose technology.
Over and above the vast amounts of information available on how POPIA directly affects an organisation, it’s important to remember that being compliant is not something that is done once and forgotten about, says ViC IT Consulting’s chief technology officer, Nash Pillay.
“It is a continuous process that keeps on getting refined and, most importantly, an ISO (information security officer) should be hired from internal staff, as they would understand the data flows and business use cases better than a consultant,” says Pillay.
Compliance, however, can be a risk within itself. Organisations are creating new roles and responsibilities like that of a data privacy offer, which aren’t, according to Pillay, necessarily thought through enough.
“Compliance is very tricky because by adding lots of compliance, it could have an adverse effect on how we do business and make it difficult to do business with an organisation,” he explains. “If you process any customer information out of SA, your company will have to adhere to the compliance laws of that citizen's country. If you process or have any customer data in your environment, whether in the cloud or on-premises, controls have to be in place to secure all this data not only from the outside but from possible internal threats.”
Compliance does not mean one size fits all
According to Pillay, more customers are running an extension of their on-premises environment into the cloud. This gives them the flexibility to scale up or down based in a much more efficient manner, “without thinking of waiting six weeks to have an order delivered and then installed into a data centre”. That said, there are many pitfalls when it comes to compliance.
“Are you ensuring your staff and customer data is maintained in a secured fashion across its transformation journey within your business?” asks Pillay. Many software vendors have jumped at the opportunity, but think that it’s almost a one-size-fits-all solution. Compliance is an ongoing task, especially when we start delving into the amount of data organisations are storing due to other compliance laws. It is almost insurmountable.”
Another pitfall brought to light by Pillay is that the regulator has been talking about this for a while, yet not enough is taking place besides the cost of the fines. With this in mind, Pillay also sees the possibility of companies using compliance as an opportunity to hide from businesses that they might owe money to, such as financial organisations.
The role of tech
Technology can be a massive enabler for businesses when it comes to compliance. “We are now living in the next generation of 4IR. We need to harness the capability of how IT4Business can address these concerns and ‘people, process and technology’ is the way forward. We need to start automating many menial tasks that would give the people more time to concentrate on the more thought-provoking tasks. But we need to understand our business processes to be able to use fit-for-purpose technology,” explains Pillay.
Before technology is implemented, it is crucial that a business understands what happens next when it comes to carrying out daily business tasks. Some vendors, for example, allow FPE, or format preserving encryption. “This allows your data to be protected in the same format as the original data and access the protected data when needed using the correct credentials. Further to this, another concern is around is replicated data in different data stores. Certain tools have the capability to search for replicated records and further reduce your current storage costs,” he says.
Compliance and digital transformation go hand in hand if the correct risks are raised. Pillay adds that starting a new business unit, where you can ensure that staff have the correct analytical minds to understand compliance and risks associated with transformation, is the way forward, especially when it comes to mitigate risk.
“Everyone says the fastest way to get compliant is encrypt your data. But what level of encryption and type of encryption? My question is, can you choose not to be compliant and would you be out of business going down this route? Being compliant not only showcases the immense trust you have for your customers' data and personal information, but also portrays good governance within your organisation,” says Pillay.
At the end of the day, POPIA is a business enabler. It gives customers peace of mind that information shared by them is safe and sound. “Remember that starting is the biggest hurdle. The process of compliance is an ongoing one and is constantly being evolved. Understand risk and how it affects your business. In return, it will make customers want to transact with you and will facilitate return business,” he ends.