Lax controls a personal information disaster waiting to happen

A naïve public assumes the service providers and organisations they engage with are taking the necessary precautions to protect their personal information.
Read time 4min 30sec

Despite legislation such as the Protection of Personal Information Act (POPIA) and European GDPR, South African companies are still not showing the right levels of concern about the importance of protecting sensitive information.

A naïve public, meanwhile, assumes the service providers and organisations they engage with are taking the necessary precautions to protect their personal information. This is a disaster waiting to happen.

With the increased number of data breaches in South Africa, POPIA could not have come soon enough. However, the law commencement date was 1 July 2020 and companies still have until 30 June 2021 to become fully compliant.

This means companies that have been breached and are being breached are not yet legally required to inform their customers if their data has been accessed, even though personal data is starting to be targeted at an increasing rate because it is valuable.

I have met many organisations in South Africa and discussed the impact of POPIA. Many are aware of the law and are educating employees regarding the law. However, many of the investments in both data security mechanisms and data privacy solutions have been lagging. These discussions mainly took place before the COVID-19 pandemic when organisations had sufficient funding.

When asked, “why is it that money is not being invested in these areas?” most responses were, “we would rather make provisions for a possible fine than spend money in these areas”. As a consumer who more than likely has had their personal data lost, this is not good enough.

With the increased number of data breaches in South Africa, POPIA could not have come soon enough.

POPIA will make provisions for penalties as high as a R10 million fine or 10 years jail time, and many organisations appear to be willing to stockpile funds in case they are fined, and appoint a chief data officer (CDO) to take the fall should records be leaked, instead of investing in the right controls to protect personal data.

Naturally, data protection is of paramount importance to the CDO, but many of them are not being taken seriously by business. This may be due in part to the fact that nobody in South Africa has yet sued an organisation for leaking their data, and because there is no clarity as yet on what ‘teeth’ the regulator will have to enforce POPIA.

With POPIA only due to be enforced next year, local organisations not only do not have to disclose breaches, they also do not have the ability to tell customers exactly what data was leaked and how the customers may be at risk as a result.

Data everywhere

Often, most organisations are not aware of the scope and extent of the problem. Personally identifiable data is often in multiple databases sprawled across the enterprise, not to mention personal data contained in unstructured formats stored on local devices and servers both on-premises and in the cloud, in old mainframes, Excel spreadsheets, shared folders and e-mail. Work from home has increased the risks, as users connect via VPNs that may be compromised.

The unfortunate reality is that with digital transformation efforts on the rise and many looking to the cloud for economies of scale, managing personal data and protecting it is becoming more difficult.

Additional concerns arise when you drill deeper into the management of data within organisations. One such immediate concern is the usage of production data in testing environments. Often organisations will have between one and four development environments for each production system, meaning that personal data is now available in up to five environments. This practice opens to the door to additional forms of attacks, this time internal data breaches.

While the testing environment is an obvious risk area and a low hanging fruit to address, a major concern is that in many cases, organisations simply don’t know where this data is. It is spread across CRM, ERP, billing and banking systems, file stores and contractual information.

Solutions are available to consolidate, track, monitor, manage and secure data, but many organisations appear to be unwilling to invest in these solutions, and would rather set aside money for fines in the hopes that they will never need to pay them.

Organisations need to seriously start asking themselves the following questions: Do we know where personally identifiable information is stored? How frequently is it accessed and is its access controlled? Is the data protected? Does the data move between departments, borders and functions? Can we alert customers whose data has been lost? Do we know the value of the data and the risk we are exposed to?

Knowing where your personal and sensitive data is, how it is being used and who is using it should form the baseline to protect it. As with all security protocols, one should focus on a layered approach with the core being the data itself.

Lawrence Smith

KID Group presales solution architect.

Lawrence Smith is KID Group presales solution architect. He is focused on supporting growth in the group’s new robotics division and driving additional Informatica business within Infoflow. Smith has 18 years’ industry experience, architecting solutions for various global customers while working for companies including Automation Anywhere, Informatica, Oracle and Sage Software.

Login with