Johannesburg, 24 May 2021
The POPIA deadline is looming and there isn’t a business in SA that doesn’t know by now that it has to be compliant. Brett Skinner, a director at CyberRes SA, Micro Focus, says part of the challenge is that compliance is seen as a grudge purchase. “The thought process by companies is all too often ‘does this tick the relevant compliance box and is it relatively affordable?’ Instead, they ought to be asking themselves ‘how do we generate revenue from being good corporate citizens, what is the potential business benefit?’”
Skinner believes that businesses should regard POPIA as a revenue creator instead of an additional cost. “They should think about how they can generate revenue from it and turn it into a business opportunity. I believe that regulation is a mandate, whereas resilience is a choice. I encourage companies to ask themselves whether they’re compliant, if they can be resilient and is it possible to generate revenue from that.”
“We need to move away from having a regulation compliance checkbox and start thinking about business resilience.”
Skinner points out that being resilient doesn’t just mean the ability to carry on with business as usual during a cyber attack, it also means the ability to monetise your compliance. And you can’t be resilient unless you’re compliant. There are three points to be made here: Know your data (data discovery); analyse and monetise your data; and protect the data and use it properly.
He highlights four areas of risk in which resilient enterprises focus: strategic (such as a pandemic); financial; operational; and information and cyber.
The business benefits of having a cyber resilience strategy include fewer incidents by protecting and preventing known malicious activities. The business is able to meet or exceed regulatory compliance and privacy regulations. It also significantly reduces the risk of a breach or detects a breach in near to real-time fashion. Finally, customers or clients are privacy and security aware and hold organisations accountable for the data they collect. Building a reputation as a resilient business embeds security and privacy at its core; customers don’t need to experience the controls but can appreciate the benefits of secure interactions.
The POPI Act requires companies to know who their customers are, know what data they have about them and where it resides. They also need to be able to remove a customer’s data from their system, if asked to do so. “Nine times out of 10, a business isn’t able to remove a customer’s data or tell the customer where their data resides on its systems. The customer has a right to ask where their data is and whether your business actually needs that data to provide them with a service. They also have the right to ask whether the data is being adequately protected.”
This brings us to how to maximise the benefit of the data once the business knows what data it has and where it resides. The key is to turn that into additional revenue income. Every company stands to gain different business benefits from being POPIA compliant, depending on the services they provide.
“It’s all about knowing your customer and being able to use what you know to grow revenue and business. It’s been said over and over: data is the new oil. But if you don’t mine it, you could be missing the opportunity to offer your existing customers additional services. These customers already trust you to protect their data and are comfortable that even if you were to be breached, their data would be safe. This type of customer would be open to buying more services from you.”
Ultimately, customers must have some level of trust in you because it’s not a matter of if you’ll be breached, but when. Businesses need to ensure that they have the trust of their customer base. They need to know that they can sleep at night knowing their data is safe.
When you start analysing the data, you access information such as the individual’s favourite restaurant or grocery store and you can then offer additional solutions aligned with that. Today, banks don’t just do banking for clients, they offer a wide assortment of services. Retailers also offer financial services. The same applies to telcos. Most companies have additional services that they could potentially sell on to existing customers.
Analytics helps businesses to identify revenue generation opportunities. An example of this in action: Retailer A, a local pharmaceutical retailer, was one of the first businesses to issue loyalty cards to its customers. For years Retailer A has been sending me marketing messages promoting items for babies, despite my age and the fact that I have never ever purchased a single baby-related item at any of its stores. Retailer B, a relatively new loyalty card player, routinely sends me special offers on items that I purchase on a regular basis.
Retailer B is analysing its data correctly and using it to best effect, while Retailer A is sending out generalised special offers in a shotgun approach to marketing – despite having access to all of the data that they require to get this right.
Test your business’s cyber resilience by taking this free assessment.
Share