Who controls your data?
Data is everywhere, can you track and manage it?
Currently, South African businesses are - or should be - debating whether to comply with the EU General Data Protection Regulation (GDPR) or the local Protection of Personal Information (POPI) Act. GDPR becomes enforceable in May 2018, and POPI is expected to follow suit soon thereafter.
Jay Huff, Marketing Director, International, at RiskIQ says, "When considering which to comply with, businesses should bear in mind that while all of the requirements laid down by POPI are valid, in my opinion they're no longer sufficient, especially for organisations targeting European citizens. GDPR adds an additional layer of compliance on top of the POPI legislation."
This approach is backed up by Bob Tarzey, analyst, and director of research firm Quocirca, who says: "Many will already have the data security basics in place to comply with the regulations that precede GDPR. However, GDPR has many additional requirements, especially around the way data is captured and processed. These include obtaining explicit opt-in from data subjects. Before an organisation can address GDPR, it needs to fully understand the extent of its online data gathering activities."
Business owners unsure of which legislation they should adopt, should ask themselves the question: do I do any business whatsoever outside of South Africa's borders? If the answer is 'yes', then your business should consider complying with GDPR. According to EU legislation, GDPR applies to any organisation that directly targets EU citizens, even organisations with no physical presence in the EU. Huff cautions: "Even if you have a local Web site that actively targets EU citizens, you need to be GDPR compliant."
He continues: "The EU regulations are by far the strictest, so by complying with GDPR you're automatically comply with data privacy anywhere else in the world."
GDPR (and POPI) is all about knowing how personal information is captured and processed. Businesses need to know how and where data is being collected, used and shared, as well as where it is stored and the security implemented to keep it safe.
However, this is no simple process. Huff explains: "One of the challenges for organisations with a large digital presence, is identifying all the places they collect personally identifiable information. This includes all login pages, data entry forms and persistent cookies used across their sites, whether they were developed in-house or outsourced by marketing or a business unit. Once identified, those pages need to be assessed to ensure data is being collected securely and that the correct usage statements and active opt-in controls are in place."
"It's all about being able to discover and manage your enterprise's digital footprint," says Huff, "from both a cyber security and compliance perspective."
Curious to see what progress businesses were making towards being GDPR compliant, RiskIQ looked at 100 000 Web sites of FTSE top 30 UK companies. Some 13 000 pages were collecting personally identifiable information and a third of these were collecting that information in an insecure manner.
You can read more about this research here:
Huff says: "When you consider the potential risk to customers through loss and fraudulent use of their data - not to mention the impact on businesses through loss of revenue and brand reputation - you realise just how vital these two pieces of legislation are."
Five things all businesses need to know about GDPR versus current data protection legislation:
1. Consent must be obtained from the data subject: explicit, intelligible, ease of withdrawal. Must be able to demonstrate consent was given.
2. Data subject rights: explicit rights to access, portability, erasure and rectification of the personally identifiable information.
3. Breach reporting is mandatory.
4. Data privacy impact assessments (DPIA) required.
5. Maximum fines of EUR20 million or 4% of annual global turnover can be imposed.