Subscribe

Do you know where your data goes?

Different countries have different data compliance regulations. Are you 100% sure that your data is compliant as it travels around the world?


Johannesburg, 10 Oct 2018
Bridgette Graham, CEO and founder, J Soft Holdings.
Bridgette Graham, CEO and founder, J Soft Holdings.

By now, the majority of South African businesses are familiar with the requirements of the Protection of Personal Information Act (POPI), which governs how personal data is obtained, processed, stored and destroyed. Despite not yet having come into law, the Act makes provision for fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the data breach.

However, what most businesses don't always know is whether their data is likely to travel to a country that has different compliancy requirements to POPI and, possibly, much steeper fines for breaches. For example, the European Union's General Data Protection Regulation (GDPR) imposes severe penalties for non-compliance, with two tiers of administrative fines: up to EUR10 million, or 2% of annual global turnover, whichever is higher; or up to EUR20 million or 4% of annual global turnover, whichever is higher.

Bridgette Graham, CEO and founder of J Soft Holdings, says while the increasing adoption of business process automation (BPA) has made it easier than ever before to share data across the organisation, as well as with external parties, it also places an increased responsibility on the business to take responsibility for that data. Graham says: "Protecting your business, and its data, against non-compliance with local or international data protection laws all comes down to the level of document management enabled by your company's business process automation software."

She says: "Document management processes are key, and when combined with BPA, provide the business with a very powerful compliance tool when it comes to protecting sensitive information."

When properly cued, the BPA system can issue preemptive notifications when the business is in danger of not being compliant in its processing of data. However, says Graham, not all BPA solutions have this capability.

"In order to be compliant with international requirements like GDPR across different regions, it's important to build on a platform that must not only be compliant itself, but it must also be configurable to other compliancy requirements."

Graham is referring to the ability to control precisely when and how items are deleted, who can access and change documents, and the ability to set authorisations according to a specific country's data protection laws.

She adds: "Cloud-based systems should expose the granularity with which you can drill down into specifying who can access a particular view or whether certain properties of the data are only made visible to certain users."

This granularity is important because, while personal information must be kept secure, other information in the same file might be required for other purposes. It's essential to differentiate between so-called public-facing data and the type of personal information that should only be accessible to the business's human resources department, for example.

This requires granular security applicable to certain fields in a database, where different viewers are able to use the same record, but each sees a different version depending on POPI, or other, compliance. BPA and document management should be able to block out certain fields for certain users, while still providing access to useful data to authorised viewers. And all of this while remaining compliant with different regions' data privacy laws.

This brings us to the next major concern around data privacy. If the business is POPI compliant, and if its data is securely in the cloud, how much of that data should the business make available to external organisations on request? Graham says: "Every BPA system is capable of pushing data from one system to another, but from a POPI perspective, what should I be sharing with another organisation? Is it legal for individuals to choose to make their data publicly available to a third party?"

This concern brings the management of data across its life cycle under the spotlight. From being captured, to being processed, stored and finally, deleted, personal data needs to be tracked and accounted for in a compliant manner. "If you consider that an individual's data for a visa application might be captured in South Africa, sent to the US for approval, then stored in a data centre in Europe, it's easy to see how regional compliance might become incredibly complex."

She continues: "All of this is governed by rules that you build into your BPA to govern the movement of data at a granular level. It's vital that your BPA system has the capability to create rules around metadata to ensure personal data is handled in a compliant manner, regardless of where it is in the world."

Things to consider

If you're unsure about the answer to the question at the beginning of this article, you should also ask yourself the following:

* BPA facilitates the sharing of data, but does your BPA know when data ought not to be shared in terms of compliance?
* Is your BPA smart enough to know the difference between different regions' compliancy regulations?
* If personal data about a South African citizen is sent to the UK, does it fall under GDPR compliancy or POPI compliancy?
* How does POPI impact on your existing BPA's standards?

The last word comes from Graham, who says: "The good news is that organisations no longer require an entire IT department to achieve POPI or any other kind of compliance. We're living in a 'no-code, low-code' world, where businesses need to be able to change their BPA rules as and when needed. The world is moving at a rapid pace and nobody can afford to wait for weeks or months while new code is developed that will keep businesses compliant. Today's BPA and document management solutions empower the user to set 'if this, then that' rules around data, without requiring the intervention of an IT professional."

Share