Prioritising IT compliance
Complying with the gamut of IT legislation may seem daunting, but adopting a risk-based approach to compliance can help enterprises tackle the issue more easily, says John Giles, partner at Michalsons Attorneys.
Giles, who frequently delivers workshops on IT governance, risk and compliance (through a legal lense), says one issue that companies battle to understand is the differences and overlaps between governance, risk and compliance. These are all separate yet related issues, he points out.
"In our view, compliance with the laws relating to IT should come first," says Giles. "Many companies focus on King III, but this is just one of the codes relating to IT. It relates more to governance, not compliance."
Compliance puts enterprises on the right side of the law, but this is not the only reason to address it, notes Giles. He says that while the IT laws in place and those being enacted make provision for penalties, this should not be the driving force behind compliance.
"There is a strong business case for compliance," he points out. This, Giles believes, should be taken as seriously as the threat of sanction.
Giles notes that compliance with the Protection of Personal Information Bill (POPI), for example, ensures the security of customers' personal information and helps mitigate the risk of fraud - all of which is beneficial to the enterprise in terms of cost savings, trust and a growing customer base.
Giles says there are currently about nine laws relating directly to IT, with many other rules, codes and standards. While few high-profile prosecutions and penalties for contravening IT-related laws have been recorded in SA to date, there is little room for complacency. In terms of the ECT Act, provision was made for cyber inspectors, but these have been slow to materialise.
In the past, the police may not have been equipped to investigate cyber crimes and IT-related charges. Where IT-related convictions have occurred, the penalties have been minimal. A woman convicted under the ECT Act for stealing a database was fined R1 000, for example, a penalty Giles describes as "ridiculously lenient".
However, Giles says the police have become more capable of investigating and taking action on IT-related charges. In addition, he anticipates dramatic changes once POPI is enacted - possibly in the first quarter of this year. The new Act will see the establishment of an Information Regulator, which will have a great deal of power to affect search and seizure and issue hefty administrative fines, notes Giles.
"This is expected to give fresh impetus to compliance, as it will significantly increase the risks of non-compliance."
In SA, there are widely disparate approaches to IT compliance, Giles says. "Some organisations are very mature and compliant, while others are oblivious. For example, many are not aware that they may not simply monitor e-mail."
Who should take responsibility for understanding IT-related laws and ensuring compliance depends on the structure of the organisation. "King III says the board must have a working knowledge of all IT laws, after which it can delegate responsibility to various individuals to achieve compliance. Responsibility might also fall to the information officer or the CEO," he says.
Giles says it is difficult for any organisation to be completely compliant. Therefore, a risk-based approach is recommended. "Companies can prioritise their compliance efforts by evaluating where the greatest risks lie if they do not comply," he says.
Giles will deliver a full-day workshop on the legal aspects of governance, risk and compliance at the upcoming ITWeb Governance, Risk and Compliance conference. For more information about this event, click here.