GDPR - what it means to South African companies
GDPR (General Data Protection Regulations) has been on the news radar for some time. As the deadline for its implementation nears, it is important to understand what GDPR actually means to South African business, and how it slots in with our own data protection Act, POPI.
For one thing, European companies will be far more at ease doing business with South African companies that have a deep understanding of GDPR as well as a desire to implement it. The question, however, is where to begin?
"Assessment and gap analysis is the best place to start. Find out what data you have, classify it and create a map of that data flow. Once you've done that, you should be able to see where all the gaps are and then plan accordingly," advises Indi Siriniwasa, Vice-President of Trend Micro, Sub-Saharan Africa.
Once a business has assessed what it needs, it needs to then begin looking at the people it needs to hire or train in order to meet compliance. This is also the time for examining what costs may be involved for the business or organisation.
"For European businesses, not complying with GDPR can result in heavy fines. Data is vital to business in the digital age, and customers and clients rely on organisations to keep sensitive information safe. A survey has revealed that up to 67% of businesses are unaware of the extent of the fines. What's worse, there are still businesses that have adopted a casual attitude to the entire exercise of compliance," explains Siriniwasa.
And keeping sensitive information safe is the crux of both GDPR and POPI. Both are concerned about the collection, storage and dissemination of data collected by various organisations. Both protect data privacy, ensuring plans are put in place for data storage and protection, and making sure that even the company's service providers are compliant.
"The process involves staff education. They are the ones gathering and entering data, which means, for the most part, they will be responsible for their safekeeping. This means that the information needs to be managed correctly in accordance with the policies contained in both Acts," says Siriniwasa.
Even after the right processes are installed for data protection, there is also the ongoing process of ensuring compliance. This means that some companies may have to drastically overhaul their policies on data and put in stricter controls.
This means if a company is associated in any way with an EU organisation - whether that is as a supplier, process data for an EU company or it has employees who work in the EU - it has to meet the requirements for GDPR compliance.
"If you have legacy security products, you're looking at possible unexpected vulnerabilities in the virtual and cloud base sphere. Centralised protection is of great importance, whether we're talking physical, virtual, cloud, multi-cloud, container or hybrid environments," Siriniwasa advises.
When GDPR becomes mandatory, companies and organisations have 72 hours in which to report any breaches or face hefty fines. This makes knowing exactly what is going on in corporate networks vital. Detection engines with advanced capabilities can stop a breach before it even begins.
This does mean a lot of work for companies, particularly those that have only just started to implement the right security measures. In any case, companies and organisations should have been treating the matter of data security seriously for some time now. However, at the end of the day, companies can rest assured that they are compliant and their clients can feel safer knowing that the right measures have been taken to keep their personal information secure," concludes Siriniwasa.