Despite the vast amount of disruption companies must endure to comply with looming new privacy laws, many CIOs are welcoming the process.
They’re expressing support for the onerous Protection of Personal Information (Popi) Act, because the threat of jail will finally force companies to implement privacy measures their CIOs have been championing for years.
“It’s forced a shift in how we deal with personal information and forced ethical data processes and practices,” said Imraan Kharwa, the information security officer for Tourvest. “It’s made me personally a champion of privacy and ethics and that’s spreading throughout the business, whereas pre-Popi, data was just a commodity hovered up by businesses without any ethical form of handling it.”
Absa’s head of technology, Verushca Hunter, said so many regulations already exist that if a company is using best practices and behaving ethically, Popi isn’t a major deal. However, since there hasn’t been any real punishment for a sloppy approach, people haven’t bothered. Popi will finally enforce higher standards of data privacy and security, although retrofitting that into an organisation with thousands or millions of clients will take plenty of time and money.
These IT leaders were speaking at a TechCentral roundtable to debate how to turn the pain of Popi compliance into a gain, by eliminating unnecessary data to free up storage space and management time, consolidating essential data for easier analysis, and making it more secure, to achieve a competitive and operational advantage.
Every company in South Africa will be affected by the Popi Act, which lays down the law for collecting, processing, storing and sharing information about an individual or a company. It holds them accountable for any abuse or compromise of that data, and any privacy breach must be declared quickly. It also creates far tighter restrictions around targeting people with unsolicited electronic communications.
It will be an expensive and onerous process, but CIOs are positively welcoming of the end results, if not the actual process of achieving them.
Telkom’s head of corporate information security governance, Steve Jump, said his company is already benefiting enormously. “It’s allowed us to achieve positive improvements in security that I didn’t think were possible. Popi is the catalyst that’s enabled that,” he said.
The benefits outweigh the expense, as system stability, efficiency and security have improved now that access controls are enforced. “There’s always someone who has found a way to produce an extra pay cheque, and the information monitoring that Popi calls for gives visibility to internal frauds. Internal compliance isn’t as ‘ignorable’ as it was.”
Telkom is now behaving in a more responsible way and has processes in place to identify and report a potential breach. Overall, Popi has changed the way it does business and has usefully focused its IT security budget into the crucial areas, Jump said.
The Popi Act has been looming since 2013, and should finally become law this year. Companies will then have a year to comply, although the roll-out of a comprehensive compliance plan can take years.
The process can start by identifying who owns the data to allocate accountability, then appraising them of the risk, the need for protection and the cost of compliance compared to the risk of non-compliance.
It’s one of the largest IT projects a company will have to conduct, and it should already be underway, says Gareth de Laporte, the channel and alliances manager at Micro Focus South Africa, because for large companies with masses of data the process could take 30 years. Yet Microfocus estimates that a staggering 35-60% of data held by the average company is irrelevant, unnecessary and not legally required.
Pieter van der Walt, the data integrity manager for Discovery, agreed that companies inherently hoard their data, so Popi will prove useful by setting out what they need to keep and prevent them from retaining everything “just in case”.
When it comes to implementation, Laporte said some customers horrify him by saying they aren’t worried because they’ll just dump all their data in the cloud. That will be a disaster if they don’t analyse it and clean it first.
A customer may exist in multiple places in their databases, and without an inventory it could prove impossible to eliminate someone who demands the right to be forgotten, for example. Besides, some cloud providers may have rules absolving them from the legal responsibility of protecting data, so companies must deal with the cloud as carefully as they deal with on-site records.
While achieving compliance will inevitably require more tools, Laporte warned against throwing money into software. “Tooling is 5% of your problem – 95% of your problem comes in the discipline. It’s not just about knowing and meeting the check boxes, it’s ongoing discipline that you will have embedded in your organisation forever. The tools are a small subset of the entire ecosystem.”
The surest way to galvanise executives into driving Popi compliance is by quantifying the cost of non-compliance, said Ritasha Kalidas, the director of IT security, risk and governance at Tiger Brands. She worked at Absa when it was owned by Barclays, and Barclays estimated the cost of addressing and recovering from a data breach as somewhere between R120-million and R140-million. That included legal and forensic fees and communicating with customers. Once a figure is put on the risk, the dynamics change because the executives realise what’s at stake, she said.
Retail giant Edcon has been working on Popi compliance for two years, and Chene Maartens, its executive of IT governance, risk and compliance, recommends starting with the human resources functions for on-boarding and off-boarding staff.
Making those Popi compliant will touch many different areas of the business like access management, employee data, payroll and health and safety, so the ripple effect is huge. “By fixing one level, you are achieving a hell of a lot of adherence to a whole lot of things you need to adhere to,” Maartens said.
- This promoted content was paid for by the party concerned