PoPI Act Compliance
Panel Beaters Directory Article
- By Iniel Dreyer, managing director at Gabsten Technologies.as published in the RISK AFRICA MAGAZINE
The legislative need to safeguard personal client information has had the effect of making businesses aware of their data. When faced with the choice of hefty punitive fines or implementing backup and recovery solutions to protect data, the only logical thing for businesses to do is take the Protection of Personal Information Act (PoPI) seriously. However, compliance with this piece of legislation requires more than just ensuring that data is backed up and recoverable. Although this is a crucial element of compliance, it’s also important.
Compliance with this piece of legislation, however, requires more than just ensuring that data is backed up and recoverable. Although this is a crucial element of compliance, it’s also important for organisations to understand what data they have and where it is stored to ensure that sensitive personal information is protected in line with the requirements of PoPI. Instead of viewing compliance as an onerous task, organisations need to embrace these legislative requirements as they can have a positive impact on the business if applied correctly to data management.
This starts with classifying and defining types of data, and through data visualisation, analysis and intelligent reporting tools, it becomes possible to construct an effective PoPI framework upon which to verify compliance. Once an effective information management structure is in place, it then becomes possible for businesses to transform their data backup into an asset which can be leveraged for other aspects of the business.
Clarifying PoPI’s requirements
From an information management perspective, PoPI compels businesses to reassess their approach to data. It has become critical to understand the data held by an organisation, which involves examining what types of data are held and who has access to such data. Beyond data classification, once information has been identified as personal it becomes necessary have security for this kind of data.Businesses now need to be able to prove what steps they are taking to secure data and prevent information leaks, and need to show what processes are in place to identify and rectify breaches,
Businesses now need to be able to prove what steps they are taking to secure data and prevent information leaks, and need to show what processes are in place to identify and rectify breaches, should they occur. The biggest challenge faced by South African businesses comes with identifying what types of data they own. This is challenging because an organisation can only start to work towards compliance once they know what it is they need to be compliant with.
Data classification can be tricky for businesses, given that data is no longer housed solely in the data centre – information comes in from disparate sources all over the organisation and can be housed on a personal mobile device or laptop, for example. The situation is further complicated by the fact that, in today’s mobile-driven workplace, data must be accessible from anywhere and everywhere. Understanding the data is key to unlocking the road map toward PoPI compliance, and having an efficient backup and disaster recovery process in place is the vehicle driving it. However, PoPI compliance is not a once-off destination given that data held by an
However, PoPI compliance is not a once-off destination given that data held by an organisation changes daily, even hourly. By implementing a single data management platform that backs up data and can leverages data visualisation while being capable of intelligent data analysis and reporting, businesses are then able to have a clear view of their information and of the PoPI compliance journey.
It’s more than a backup
While it’s key to have a data backup and recovery system in place, that’s not the end of it. It is essential to have a tool set that can constantly monitor a business environment and identify possible vulnerabilities that need to be fixed. Backups come into play as a means of tying disparate data sources together, bringing together all data into a single repository, whether the data be from end-point devices, servers, databases. By bringing it all into a single place, it then becomes possible to report on that data in relation to PoPI compliance.
It is at this point that it becomes possible to build a tool set around such a backup and start analysing the data. This means that it’s now feasible to turn a backup repository into an asset, and it’s no longer just a backup plan, there in case of accidental deletion. The backup repository can then be transformed from a cost centre into an asset that can be leveraged for all sorts of other business functions, like data mining, customer relations and operational analytics.
Essentially a rule-set to apply to data, PoPI requires that personal information pertaining to customers be stored within the borders of South Africa for businesses to be compliant. This makes it critical for organisations to utiltise service providers that host their data centres locally, which is not as much of an issue as it was in the past given that South Africa has mature cloud service providers readily available.
So, while it might seem like an onerous process designed to over-complicate the way we do business, PoPI has excellent intentions. If applied correctly and if approached with the right mindset, it can empower businesses to take charge of their data and transform the backup repository into an essential business asset. While PoPI compliance is an on-going process, the journey is worth the effort when you consider the importance of data and the role it plays. In the modern business world, data is the lifeblood that carries information to those business functions that require it for survival; without data, there can be no business.