POPIA compliance is not just an IT problem
By Johan Scheepers, Country Head at Commvault South Africa
Since its implementation in 2018, the General Data Protection Regulation (GDPR) has become a global standard in protecting end-users from the unlawful use or dissemination of their personal information. South Africa’s Protection of Personal Information Act (POPIA), set to commence in July 2021, is modelled on GDPR, and it affects all businesses. While many organisations believe that POPIA compliance will not affect them, or that it is just an IT problem, this is a short-sighted attitude that could see them falling foul of the law. Compliance requires business and IT to work together to manage data effectively, which at the same time provides a number of business benefits.
The buck does not stop with IT
POPIA is an umbrella data protection law that governs how businesses need to handle data, more extensively than the various silos of rules that have existed to date. In the information economy, protecting data is of the utmost importance, not only for compliance purposes, but also to safeguard businesses themselves. And while IT plays an important role in data management and therefore in compliance, technology is not a magic wand that organisations can wave to become compliant.
Technology is an enabler to assist businesses with finding, classifying and managing sensitive information. However, as we have moved more into remote working, with businesses deploying a variety of collaboration tools, data has become increasingly segmented. IT can assist by providing the tools and security to prevent unlawful access to data, but it is the responsibility of the business as a whole to apply the principles of POPIA. If processes and governance, both business issues, are not put into place around the data, technology will fail. In addition, POPIA law will pursue business owners, not the IT department, should a breach of compliance occur.
No checklist for compliance
POPIA presents businesses with a twofold problem: What information is given to us, and how do we protect it. The challenge is that there is no checklist that organisations can apply to ensure compliance. POPIA is made up of a number of guiding principles that can be interpreted in different ways, including information security, data subject participation, and importantly, the right to be forgotten. This is why governance is critical.
Data governance needs to become an integral part of business. This means being part of a cycle of continuous improvement, so that businesses can not only claim compliance, but prove they have taken all reasonable steps to comply. In terms of IT security standards, some best practices include making appropriate provisions to encrypt data stored off premises, and ensuring access to information is strictly controlled and is appropriate. The reality is that there is no such thing as being 100% secure, but there are mitigating steps that can and must be taken to safeguard data.
Protecting personal information is in everyone’s best interest
Compliance and governance are not once-off exercises; there is no end goal or destination. They are changes in business process and practice that must constantly evolve to meet the changing threat and regulatory landscape. However, neither is compliance bureaucracy for the sake of legislating. Protecting personal information means stopping this information from falling into the wrong hands where it could be used for malicious purposes. At the end of the day, these laws are there to help us all, because we are all consumers.
IT and business need to work together to ensure that business processes and governance are in place to protect data. They also need to ensure access is appropriate and, importantly, to manage the various silos of data that exist. If businesses do not know what data they have or where it is stored, they cannot hope to protect it effectively. Data management, data governance and visibility into data are the cornerstones of POPIA compliance.