After years of waiting for the Protection of Personal Information Act (Popia) to become law, many organisations are confident that they will meet its onerous regulations by the deadline.
The act came into force at the beginning of July, and gives companies until June next year to be fully compliant. Most participants in a recent TechCentral C-Suite roundtable on Popia — sponsored by Micro Focus and VIC IT — were confident that they’re already far along the journey.
The act sets out strict rules governing what organisations can and can’t do with information about their customers. It obliges them to take responsibility for it, and to use it only as needed, with heavy penalties for any breaches.
Old Mutual didn’t need this new law to make it take privacy seriously, said Magan Naidoo, its head of data and information management. “We’ve always taken a responsible business attitude and haven’t waited for Popia. We’ve always had a privacy policy across the enterprise that covers our businesses in South Africa and outside South Africa,” he said. “Brand damage to a company like Old Mutual cannot be counted — it would be catastrophic. We have processes, teams and protocols in place already as standard practices for breaches and privacy issues.”
A group-wide data protection team ensured that Old Mutual as a whole was compliant and had the necessary teams, policies and technology in place, he said. Each business unit also had its own information security officers, so Old Mutual was covered horizontally and vertically to ensure there were no gaps, he said.
Even so, it was taking Popia extremely seriously and had made further huge investments in resources, processes, policies and management to ensure it would be fully compliant by next June, Naidoo added.
Themba Mnguni, deputy director at the department of rural development & land reform, said they currently have an information officer and someone dealing with risk management, but because the departments of agriculture and rural development are merging, things are a little unstable. “It will be finalised as soon as possible but, currently there is an accounting officer who accounts for everything, and then responsibilities are delegated, in this case, to our risk officer.”
Telecommunications company Vox was also a very good position to be ready by deadline, said Niel van Rooyen, its head of information security.
Some participants expressed their fears about being in the firing line if anything went wrong, however. Tourvest was currently in the process of appointing an information officer, said Imraan Kharwa, its head of information security. At the moment, the responsibility is all his.
“My mandate extends to data privacy as well as information security, and it’s very likely that someone is going to wake me in the middle of the night in the event that we have a data breach because I’m responsible for our incident response and stakeholder management from a privacy and information security perspective. If anyone’s going to lose their job because of it, it’s likely going to be me.”
Investec’s data privacy officer, Janine West, said her organisation had an incident response team, and she’d be the one who got the call. An internal response team including the CIO and PR team would be alerted next to be on standby.
Complying with Popia wasn’t necessary only to avoid the fines or a jail sentence that could be incurred for lapses, but for a reputation standpoint, too, West added. “You don’t want to be the company that has the reputation for not having good governance or controls in place.”
But good governance had become harder with employees working from home during lockdown, as they needed more freedom for tasks like printing out documents. “You don’t know what happens with that data, or how it gets destroyed. There are no shredding machines in homes,” she said.
As an international broadcaster MultiChoice has to comply with Europe’s GDPR requirements as well as Popia. Yet both should come naturally to any company that cared about its customers, said Morne Bosch-Serfontein, its chief data officer. “If you follow good customer principles a lot of this new legislation should be second nature. We began a few initiatives a couple of years ago to make sure we could deliver to our customers and commit to them that their information will be protected,” he said.
Various programmes were introduced and mock audits conducted to make sure that from a process perspective everything was governed. “We took it a step further and made this part of the company’s KPIs, and one of our strategic objectives is that we that we pass these audits and remain relevant to our customers by protecting the information,” he stressed.
The Airports Company South Africa (Acsa) must also comply with GDPR as it deals with data from all over the world, said CIO Mthoko Mncwabe. The current challenge was to ensure its operations were Popia compliant in South Africa, since there were still a lot of gaps. “It’s quite a rush as we stand today, but I think we’ll meet the deadline,” he said. The responsibility for risk, compliance and security at Acsa is run through one programme across the group, with the executives of each business unit taking accountability for the data it owned, he said.
At Absa, data privacy was part of everybody’s job and not something that just one person was responsible for, said Ignus van Zyl, its lead security analyst and Africa Technology chief security officer. “Obviously we have teams that focus specifically on this, such as the privacy team, and we look at things like database security, and USBs, and whether they’re being used to move data through the bank,” he said. “We track all of this, because obviously we’re very worried about how our customer data is protected on a holistic level. But there isn’t really anyone working in the bank that doesn’t have some level of responsibility towards ensuring that Popia is properly implemented.”
It’s similar at Absa, where Juan Harmse heads a Converged Security Fusion Centre and deals with data-related issues and incidents in collaboration with the privacy officer. But everybody needed to take responsibility, too.
“We have a dedicated education and awareness team that deals specifically with privacy-related training, and one of the regulations is a compulsory compliance training course that everybody has to do every year. We run security education and awareness programmes throughout the year, including compliance-based training and a video series we’ve recently launched.”
While all the roundtable participants were responsible for security and privacy, the ultimate accountability sat with the CEO, stressed Ritasha Kalidas, director of IT security, risk and governance at Tiger Brands. “Usually if you’ve had a breach, you will find yourself in front of a regulator. The regulator doesn’t want to talk to us very technical people, they want to talk to the owners of the information, and that ultimately sits with the CEO.”
But C-suite executives weren’t accustomed to these types of conversations, and saw this as a security issue that the CIO or head of security should handle. For that reason, it was important to brief the CEO and the C suite very well if anything happened, so they could speak confidently, honestly and transparently about it, she said.
Standard Bank’s head of information risk governance, Emmerentia du Plooy, said the value of a company’s information far transcended any monetary value. It was the lifeblood of a business and its processes. “If your information gets compromised, the impact to the various stakeholders is huge and the reputational damage can be devastating. It doesn’t really matter which industry you are in, because if you have broken that trust element with either your clients, stakeholders or partners you are in deep trouble.”
The medical aid administration company 3Sixty Health also recognises data and cybersecurity as critical. “We’re dealing with sensitive health information such as blood test results or health conditions, so we would never want a situation where that data has been compromised,” said CIO Tshepo Motshegoa. “We rely a lot on Popia, because a lot of key core functions we provide depend on third party partners.”
Since 3Sixty Health handles the flow of data between doctors and other service providers, it must ensure it was secure and the parties it sent the data to were also secure. “We have put in place several fairly stringent cyber security clauses as well as mechanisms to ensure the safety of all data, as well as clauses to ensure that the correct people are liable in the event of an incident,” he said.
Security within the Glacier group was managed by a chief information security officer, and by various information security officers in the different business areas, said Evan Douman, its head of enterprise data management. As a company’s data awareness rose, so did its maturity towards the issue, he said. “We have to start defining where information security stops and starts, and where does it dive into a data governance or data management function.”
The online company Bidorbuy had one individual looking after data privacy, and a couple of teams protecting all the customer data in a database, and destroying it when appropriate, said CTO James Ostrowick. “It’s a multifaceted discussion point when it comes to who owns data privacy and who owns the security behind that,” he said.
Sibanye Stillwater has about 100 000 employees, and holds a lot of personal medical information about them. Every employee goes through an intense medical, plus periodic tests and an exit check-up. Samuel Mokoena, its governance, risk and compliance manager, said the information went back and forth to medical aid providers, and the company had become quite good at security to prevent unauthorised access or hacking. “However, the challenge for us is how to ensure the people who are authorised to have access to our information are safeguarding it,” he said.
Liberty treated data security as a joint operation between a compliance office and a data chapter that controlled data governance, said Siyabonga Mabuza, the senior data governance specialist. They had regular meetings with infosec as well, to discuss progress around Popia and GDPR compliance for all entities within the Liberty Group. Typical discussions would be around data initiatives, or where they were struggling with the appointment of data owners, the classification of data, or the implementation of data loss prevention tools.
Advice from Micro Focus for what to prioritise over the next six months was to start by understanding what data you have, plus the potential impacts of non-compliance. Make sure you know what you have and enforce the security around it, said security sales manager Brett Skinner. “You’re always going to have delinquents inside your business, so the starting point has to be the framework of the Act itself. Understand the risks and know where your personally identifiable information (PII) resides.”
Beyond that, this was a great opportunity to turn the expense of the necessary tools, technologies and training into an advantage, by making money out of the data once they better understood what they were holding. “A lot of people don’t understand what data they have and how they can monetise it,” he said.
GM at VIC IT Consulting Prischal Bahgoo has the last word. To lead on to what Skinner said, everyone’s talking about where the buck stops, and losing their jobs, what would happen if we gave you the opportunity to say if you had a breach the data was devalued or de identified. That’s something to consider.
- This promoted content was paid for by the party concerned