The power of PoPI
A home can have the most advanced alarm system, electric fencing and security gates, but these are of little use if a family member is duped into opening the gate and letting a criminal walk straight in.
The same can be said for your business.
It doesn't matter how tight a company's information security may be, or how stringently its IT and data management policies are enforced, the most likely cause of a data or privacy breach will be human error, negligence or malice. In today's digital world, it goes without saying that organisations must leverage technology to meet the requirements of data privacy legislation such as the Protection of Personal Information Act (PoPI), says Alison Treadaway, a director at Striata. It's important to acknowledge that technology alone is not the only solution, and having the most advanced technologies in place doesn't necessarily promise that your data is secure, she continues.
For Treadaway, achieving and maintaining compliance with PoPI requires a change in an organisation's culture. This entails everything from making sure that all employees are aware of how data flows into and out of the business, to knowing where it is stored and who is able to access it.
Rian Schoeman, a legal advisor at LAWtrust, agrees. There may be a number of IT systems that make it easier to achieve PoPI complainance, but if general awareness around PoPI requirements and how to deal with personal information are not driven home, there will always be gaps. "PoPI compliance is not only an IT issue, it's a people issue." PoPI will affect all staff members in a company, from the receptionist to the CEO.
Until now, the focus has been on how businesses need to comply with the PoPI Act, notes Mayleen Bywater, senior product manager for security solutions at Vox. But the burden of responsibility is on all individuals within the organisation who have access to, or are responsible for, personal information. These people are also required to understand the Act and must ensure that the processes that are followed, and the systems that are in place, are adhered to.
Schoeman believes the biggest problem is a lack of understanding; most companies don't know what personal information they are storing or where they are storing this information. "From a compliance perspective, the biggest risk is that many people still don't understand what processing means and therefore think that PoPI is not applicable to them."
Gearing up for change
People don't like change, stresses Bywater. This is especially true when changes are being made to IT processes and protocols for how, where and when data is saved, backed up and accessed. She describes a fear of change as the biggest inhibitor to compliance, noting that a change cycle can take between three and four months to get right. This type of policy change will influence the day-to-day behaviour of staff and requires regular training and stringent management.
On a macro level, these changes will have a sizable impact on all business processes. "While many organisations understand that new data has to be compliant, what they don't understand is that all legacy data is also covered under PoPI and this needs to be prioritised." It's essential that legacy data is correctly stored, exported and managed. There's no denying that this will be a costly, and rather inconvenient undertaking, as businesses will have to remove ill-suited systems, buy additional systems and employ people to assist with managing these environments.
The biggest `change' is the legislative need to implement various controls and protective measures, according to Simeon Tassev, MD and QSA at Galix Networking, noting that these were previously only best practice stupulations. "Companies will no longer be able to merely pay lip service to the concept of protecting and respecting their client's personal information. They will have to prove their compliance with the requirements of PoPI, not just from a protection point of view, but also from an incident response and incident management perspective." Interestingly, adds Tassev, while technology trends like IoT, BYOD and cloud have enabled businesses to be more flexible and creative in so many ways, these innovations will actually add an additional level of complexity for businesses working toward PoPI compliance.
As for the types of businesses that will be affected by PoPI, the reality is that every business will be affected, only the degree will vary.
Once companies understand that the mere sending of an e-mail containing someone's name and surname constitutes processing of personal information, they will realise that no one can escape PoPI...Rian Schoeman, LAWtrust
Across all industries, PoPI impacts anyone who holds any form of personal data, notes Chris Ogden, RubiBlue MD. From informing people that you are storing their data and giving them the option to refute the need for this, to guaranteeing it is stored correctly, to ensuring this information is only used for its original intention, all businesses must understand the requirements, and their responsibilites.
PoPI is applicable to every single company, says Schoeman. "Once companies understand that the mere sending of an e-mail containing someone's name and surname constitutes processing of personal information, they will realise that no one can escape PoPI and that they need to take steps to become compliant."
Breaking the bank
Traditionally, all a person required to bank was their card and ID, notes Simeon Tassev, of Galix Networking. They could go into a bank with these items and do whatever they needed to do. With the introduction of banking technology, like internet banking, customers have many different ways of connecting with their bank. But these new ways of transacting mean that there are so many new ways for a customer's personal information to be compromised.
For Gary Stocks, a research and insights executive at BSG, trust continues to be the basis of comparative advantage for many leading organisations; it's a statement that is especially true for banks.
It's important for all organisations to adequately classify data in order for them to put the appropriate measures in place. "To a certain extent, banks already have most of this classified as customer information. However, the Act is quite specific on how special personal information should be treated and therefore this type of data must be classified appropriately." Banks also need to gain an accurate perspective of what data is entering or exiting the organisation; balancing business and compliance requirements accordingly. Should a data breach occur at any point, banks will need to identify the source of the gap, and proper classification of data and monitoring of data flow makes this easier.
Training for success
When it comes to PoPI compliance, training is perhaps one of the most important ways to ensure that businesses understand the implications of this legislation. For Striata's Alison Treadaway, organisations should focus on three primary areas when planning their PoPI training strategy - awareness, preparation and consistency.
"During the awareness phase, the business needs to communicate to all employees why there are going be significant changes in systems, policies and processes, and make sure all staff understand the need for data privacy and the necessity of applying security principles to achieve compliance," says Treadaway. While she does believe top-level executives should be driving this culture change, the implications of PoPI must be communicated as a fundamental business imperative to all employees, at all levels.
The preparation phase sees all employees being taught about new processes and systems and then agreeing to comply with these new policies. Training should cover how to prevent a data breach by recognising risks, reducing these risks through good behaviour and understanding what to do should a breach take place, continues Treadaway.
Specialised training must be given to employees who are appointed to specific roles, such as the CIO. According to the Act, a person whose data is being processed has the right to enquire how their data was obtained, what information is being stored and how it will be used. "Organisations need to understand the importance of change management in reaching and maintaining PoPI compliance. This training must happen across the entire business, not only within teams that deal directly with data."
Dos and don'ts of data disposal
With all this talk about how to safeguard and properly manage sensitive corporate and personal data, it's also important to consider how businesses should handle the destruction of the information when it's no longer needed, says legal advisor Rian Schoeman. "Regardless of the many legislative retention periods, there will come a time when information needs to be destroyed." Keeping tabs on what data needs to be destroyed can be a complex process.
Not only is the introduction of mandatory protection of personal data a huge challenge for companies, but now organisations are being prompted to rethink how they approach the reuse, recycling or recovery of their eWaste, says Xperien CEO Wale Arewa. "Most electronics hold personal information. When these eventually become eWaste, it's good practice to ensure all personal information is erased before disposal. Companies will be forced to change their processes to ensure that the personal information and data they collect is protected."
Business may choose to view the Act as a punitive legislation, but Arewa believes it's a great piece of legislation that will enhance processes for all parties. "For those that adopt the Act's principles, it will enhance data protection practices, improve business continuity and uphold their reputation as a good company that cares for their customers."
This article was first published in the March 2017 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.