New laws and regulations around the world have put data privacy on the agenda for every organisation – and enterprises that have not yet prepared themselves for this change in the data protection and information security landscape are exposing their businesses to reputational, security and legal risks.
That’s according to Mike Rogers, MD at Tarsus Technology Solutions, who says that laws like the European Union’s (EU) General Data Protection Regulation (GDPR) and South Africa’s Protection of Personal Information Act (PoPI) demand serious attention from the IT and risk departments as well as the c-suite in very organisation.
South African organisations that do business in the EU and that have yet to comply in full should move fast to align themselves with the regulation’s demands. The regulation came into effect in May 2018, essentially positioning data privacy as a new human right.
And despite the delays in the full implementation of PoPI, organisations should not be complacent about the changes it demands. There is no reason to delay, since it seems unlikely that there will be any material changes in the Act’s requirements in the months to come.
“South African businesses could be forgiven for being blasé about PoPI, given the long journey towards full implementation of the Act,” says Rogers. “But they should see it as part of a global move towards tighter control over how companies store, manage and use personal information.”
GDPR and PoPI: More alike than different
Rogers says that the EU’s GDPR and our PoPI have much in common, though the GDPR has tougher penalties, some different terminology, and stricter requirements around elements such as the right to be forgotten, reporting security breaches, and data portability.
The GDPR applies to all organisations that process data on citizens and residents of EU countries. The good news is that organisations who comply with GDPR should be largely compliant with PoPI’s requirements—so it makes sense for organisations who do business in Europe to start with GDPR compliance.
The GDPR applies to the whole of the EU and repeals the previous existing data protection laws of EU member states. As one of the world’s largest trading blocks and one of South Africa’s largest trading partners, regulation from the EU often sets the benchmark for South African lawmakers, so PoPI and GDPR may converge further in time to come, says Rogers.
Adopting global standards
South African organisations should kick off their data protection strategy by getting the support of senior management and the board to address compliance and risk issues around protection of personal information. The information security team should work closely with the enterprise risk team and report into a senior member of the management team.
The next step is to assess what the organisation still needs to do to comply with global regulations and best practices. For example, it might be necessary for organisations processing large amounts of personal information or particularly sensitive personal information, to appoint a data officer. The company will also want to choose technical and business solutions that match its risk management profile and technical requirements.
Know which data you have and then manage it
A good place to start is to evaluate which data the organisation manages. Equipped with an understanding of the data, where it is stored and where it flows to, the organisation can prioritise technology investments. Data discovery tools can help uncover where the data is – for example, some of it might reside on workers’ hard drives or mobile devices.
Other essentials include identity management and access control, strong encryption and forensic and reporting solutions. Organisations should look at requirements such as the right to be forgotten, transparency, data portability, and end-user consent. This can be complex, which is why many organisations, especially mid-sized companies, may want to look to managed security providers for support.
Rogers concludes: “It’s also worth remembering that data protection laws and regulations are about protecting the interests of consumers, employees, and other stakeholders. Companies that take a proactive stance on managing people’s data in a transparent and responsible way can not only avoid penalties for breaching data protection laws and regulations, but also build higher levels of trust and brand value.”