POPI could save your reputation

In the current climate of businesses being investigated for their ties to certain well-known families of dubious repute, compliance with POPI could make or break these businesses' reputations, says Claude Schuck, regional manager for Africa at Veeam.

Johannesburg, 25 Oct 2017
Read time 3min 00sec
Claude Schuck, regional manager for Africa, Veeam.
Claude Schuck, regional manager for Africa, Veeam.

When the Protection of Personal Information Bill was first drafted, South African businesses took note and started to implement processes that would see them compliant with the Bill when it was eventually enacted. However, it's now a couple of years down the line, and businesses are having to refocus their attention on data privacy as the passing of the Act into law appears imminent.

Claude Schuck, regional manager for Africa at Veeam, says: "Things have changed so much in the past couple of years that businesses have to consider whether the plans that they put in place initially are still applicable."

POPI places certain requirements on businesses around customer classification, data privacy, how long data must be retained for, access to that data and notifying individuals whose data has been breached. Complying with all of these requirements, particularly in the face of the highly successful series of cyber attacks that we've seen recently, can prove onerous and confusing, says Schuck.

He adds: "The majority of businesses have the basic structures in place around the movement and storage of data that will enable them to conform with POPI immediately; they just need to implement the necessary processes to ensure they align with the Act. The technology that businesses routinely utilise today is usually sufficient, they just need to fill in the gaps here and there in order to become compliant."

For example, most companies have a backup and retention policy. But this is where it becomes interesting - and relevant to the investigations into various South African businesses referred to at the beginning of this article. Schuck says: "It's one thing to have these policies, but the business needs to be confident that it can produce the requested data in the amount of time given. You need to ask yourself, how quickly can you produce that data? Retrieval and speed of that retrieval are key, as is traceability."

In the event of a customer query or court case, being able to track data in terms of who accessed it, what changes were made to it over time, and who authorised what, can make or break a business financially and from a reputational perspective. Schuck says: "Particularly in a legal case, being able to establish what went wrong and at what stage is vital. If POPI was in place and being enforced, it would be far easier to prove a business's innocence - or guilt - by tracking the data."

According to Schuck, there are three key steps that businesses need to take to ensure their backup and recovery policy is compliant:

1. Get a policy in place;
2. Ensure you can produce data and the latest version; and
3. Be able to track that data historically.

Schuck concludes: "Once POPI becomes law in South Africa, it is possible that business might sit back and see how well it's enforced. My advice to them would be to be proactive in order to avoid becoming the business that the government decides to make an example of for non-compliance."

Read more about how to bridge availability and data protection gaps by downloading this whitepaper on the topic:

Editorial contacts
ITWeb Alison Job (011) 807 3294
Have your say