POPI turns up regulatory heat on ECM

Companies will need to look at how they store and manage personal information when a new law is enacted.

Read time 2min 00sec

The Protection of Personal Information Act (POPI) is expected to become law in South Africa by the middle of 2013, bringing the country in line with international data protection laws.

Companies will need to look at their existing policies, procedures and systems to ensure they meet POPI's requirements.

Organisations that already follow good practices in the way they manage and store personal information about shareholders, employees, customers, suppliers and so on, will be well positioned to demonstrate their compliance with POPI.

But those that have neglected information governance over the years face a scramble to meet the law's stringent requirements about how they handle sensitive customer information, such as names, addresses, e-mail addresses, ID numbers, employment history, and health data.

As with most data privacy and information governance laws, the impact of POPI on enterprise content management (ECM) comes down to data classification, says Andrew Kirkland, country manager at Trustwave South Africa. Companies will need to look at their existing policies, procedures and systems to ensure they meet POPI's requirements.

The link between ECM and information governance comes down to data classification, he adds. The more sensitive and confidential the information is, the closer it will be regulated and the tighter organisational controls will need to be over where and how the data is stored, who has access to it, and how it may be accessed and managed.

Some measures enterprises can take to ensure they meet the demands of POPI and other regulations include putting solutions in place for access control, alerting and monitoring, encryption, and end-point security, says Kirkland. They should also consider implementing incident readiness programmes and appointing a risk and compliance officer or data custodian.

LAWtrust solutions director Maeson Maherry says companies need to put steps in place to ensure the authenticity and originality of the document over its life cycle to ensure compliance with laws such as the ECT Act and POPI.

Passwords are not enough to ensure the integrity of sensitive material. Companies should first put strong authentication solutions in place to ensure they can identify the owner of the information and who can view it; then they should put access controls in place and encrypt the data for privacy.

Login with