Johannesburg, 08 Nov 2021
Data is not the new oil or gold. It's more akin to electricity. And what is the value of electricity? It's relative. You might not care much about the battery in your television remote, or you might fret over every watt's cost at a large factory. In both cases, though, it is a problem when the power stops working. The value of electricity is not so much in its consumption but through its availability and flow.
We can apply this same paradigm to data, says Mukhtar Khan, Digital Trust Technical Specialist at IBM Security: "Making data available is an important priority. Companies know that they sit on a lot of potential value through their data but that value can't exist if you don't make data accessible. This need puts a lot of pressure on IT teams to discover and classify data, make that data secure and compliant, and effectively manage and monitor it."
He adds that organisations have seen an increase in the amount of data they collect and retain. At the same time, security and data breaches have been on the rise. This data economy has now driven regulators and governments to impose data privacy and protection regulations. These changes, combined with growing consumer rights advocacy, have reinforced or even mandated the need for organisations to implement better data protections.
At the heart of growing calls for compliance is the requirement for more responsible use of data – and we’re seeing this increasingly around the world. The European Union's GDPR law is perhaps the best-known, and it's in good company: Brazil launched the General Personal Data Protection Law (LGPD), and the US state of California established the California Consumer Privacy Act (CCPA). Locally, we have become well-acquainted with POPIA, the Protection of Personal Information Act.
Such laws are not only mandated by governments – consumers celebrate them as well. Very much aware of their right to privacy and the threat of cyber crime, individuals also demand better protection for their personal information.
Putting POPIA in place
Yet compliance projects are notorious for their complexity, and the current environment does not make adherence to laws such as POPIA any easier. Many organisations have embarked on a digital transformation strategy which was only accelerated by the pandemic. Now, the destination of compliance seems even more distant due to other pressures that include hybrid infrastructure, remote working and cyber security.
To have the best chance of being in compliance, it’s important that organisations understand how data moves through their business. This raises multiple questions and poses major challenges for organisations: What personal data are they holding? Where is it located? How is it processed? What is the retention period of this data? How do you respond to consumer access rights requests? What security precautions do you have in place? And how do you plan to reduce the amount of data you initially collect and how long will you retain it for?
"IT teams have a lot to do, and compliance often doesn't help things because of two reasons," explains Khan. "There is often the mistaken expectation that compliance is primarily an IT issue and not something that requires multi-disciplinary collaboration. Then there is the myth that technology can solve compliance, that as long as you choose the right IT product your POPIA compliance is taken care of."
Fortunately, these two drawbacks indicate how companies can instead tackle compliance in the right way. The first step is to assemble the right team that will directly influence the duration and success of this project. Such a team should include representation from affected groups, notably teams working on data privacy, compliance and security, as well as respective platform owners who are in effect data owners. These teams will either have specific requirements or standards that need to be adhered to on execution.
The next step is selecting or leveraging different technologies to establish and support compliance. It is essential to ensure that the technology of choice supports business objectives and strategies across hybrid environments.
Once a strategy is in place and approved by all parties, the technology portion becomes easier. Not only that, but best-of-breed data management technologies can cover other concerns such as discovery, classification, security, monitoring and integrated access with other platforms such as analytics, ERP and CRM services.
"When you select the appropriate strategy, you can see which areas of your data estate need to strengthen," says Khan. "You ultimately want to discover, classify, analyse and protect data, while also establishing responsive and resilient security. On top of that you want to simplify your compliance reporting. It all starts with a good strategy that involves multiple groups in the business. If they have a big stake in the company's data environment, they should be at the table."
By infusing identity and access management solutions with a data protection solution, businesses can place the correct building blocks to achieve POPIA compliance.
"There is often a debate about how much compliance impacts the day-to-day operations of a company. But with data privacy laws there is a clear overlap. If organisations approach POPIA smartly, they can achieve more than just compliance. They can create those data access flows that will keep business moving forward."
IBM can assist companies with their POPIA strategy. Interested parties can reach out to Mukhtar Khan via LinkedIn https://www.linkedin.com/in/mukhtark/.
Share