Treading the compliancy line
Companies have to ask themselves how far along they are on their journey towards compliance with data privacy legislation, and whether they can prove that they are, in fact, compliant, says Claude Schuck, regional manager for Africa at Veeam.
With GDPR coming into force in May 2018, and POPI expected to follow suit by the end of the year, it seems that local business would have started planning their compliance journey. Somewhat alarmingly, some organisations are taking a wait-and-see approach, which could leave them at risk of a sizable fine - or worse.
GDPR lays out how companies should process, store and secure the personal data of EU citizens. Businesses that fail to comply can expect a fine of up to EUR20 million or 4% of global annual turnover in the prior year. Non-compliance with POPI can attract a fine of up to R10 million or 10 years in prison. The bottom line is clear - South African businesses need to start paying attention to how they collect, manage, store and share individuals' personal information.
Claude Schuck, regional manager for Africa at Veeam, says: "POPI and GDPR both relate to personally identifiable data, its protection and its availability. When it comes to compliance with legislation around the protection of that data, when called upon, you have to be able to prove that you've processed that data in a compliant manner. This requires that you know, manage and protect your data. You have to document that compliance and continually improve on how you do that."
The reassuring news is that the majority of businesses that have embarked on a digital transformation journey will already be on the road to compliance. They may have to make a few small adjustments to some of their processes, but it won't be an onerous or expensive project to implement.
Schuck says: "For instance, most businesses have a data backup and retention policy in place. They may simply need to change some of their existing processes or even implement some new ones around that to be compliant with data privacy legislation."
Digital transformation gives a business visibility into its data, where it is, who has access to it and what data it has. It also allows the business to automate processes around compliance. Is compliance possible without digital transformation? "Possibly," he concedes, "but the processes will be more labour-intensive and it could prove much more difficult to track a breach."
There are several ways in which non-compliance could come to light, says Schuck. Individuals could report a business for sharing their personal information; the organisation itself is obliged to report any data breaches that could impact on personal information; and an audit of a business could reveal non-compliance.
Businesses need to weigh up the financial consequences of non-compliance versus what it will cost to get there. This is especially true for small to medium businesses that may not have started their digital transformation journey, says Schuck. "As mentioned previously, bigger organisations are probably already there; they have the people and processes in place to ensure compliance. But, smaller businesses may need to drastically rethink the way in which they store and manage their personally identifiable data."
While both pieces of legislation make it clear that businesses of all sizes have to be more responsible and accountable in how they process personal information, what isn't clear is exactly how they must do so, says Schuck. "GDPR is a lot more structured in terms of what's required, whereas POPI is less prescriptive."
"What does being compliant entail? If your business deals with personal information, whether it's that of suppliers, employees or customers, you have to be able to document where you're keeping those records and who has access to them. How you get there is up to the individual business - the processes around that are not defined. It's even possible that a business might only realise that it's not compliant when it's asked to provide information documenting its compliancy journey."
South African businesses are already tightening up their processes around how they handle personal information - although individuals are still relatively uninformed about their rights. Schuck says: "Often, uninformed consumers sign away their rights to data privacy by consenting to being sent marketing information. This can be as simple is including such consent within the terms and conditions around a competition, for instance. How many people think to tick that box that says they don't wish to be contacted? Particularly if they think they're going to win something. Currently, they have to actively opt out of having their personal information shared."
On a much larger scale, there's the challenge faced by public cloud providers that store all kinds of data from a wide array of customers that are geographically disparate. "To what extent are these providers able to guarantee that their customers' data is secure as per the relevant legislation? And what additional measures are they taking to ensure they are compliant? We're talking about potentially thousands of customers' data all hosted publicly, plus that of their local service partners. Selling shared space is their business model, so they need to make doubly sure that the data is properly segregated and stored in a compliant manner."
When data is stored on-site in an on-premises data centre, it is far easier to control and oversee. The personal information can be siloed, making compliance that much easier. But this model isn't feasible for all businesses who turn to the cloud for their storage. But in this instance, one certainly has to ask where the liability lies, says Schuck.
The big question is, do businesses jump in and start addressing compliance, or do they wait and see how non-compliance with either GDPR or POPI is dealt with in South Africa? Schuck advises businesses be proactive in embarking on their compliancy journey: "If you own a business that deals in any way with anybody that resides in the EU, and today the majority of businesses are global, then it's probably wise to start preparing for GDPR and not wait for POPI. In my opinion, businesses that cover all of their bases by complying with both GDPR and POPI requirements will be safest in the long run."
Read more about GDPR compliance by downloading this white paper: https://www.veeam.com/wp-gdpr-compliance-experience.html?ccode=itweb.co.za