The importance of protecting personal identifiable information (PII) cannot be overstated. Irrespective of their size, businesses in every sector face the risk of data loss, particularly those that handle vast amounts of confidential customer information. Cyberattacks are also on the rise, as adversaries grow more determined, and their tools more sophisticated.

So says Fallon Steyn, Middle East and Africa regional sales manager at Next DLP, adding that alongside the evolving threat landscape, the regulatory landscape is becoming increasingly stringent and complex, leading businesses to seek out comprehensive solutions that go beyond addressing today’s challenges.

“This expansion of data privacy regulations did not happen in a vacuum. As more businesses began to collect personal information, they became inevitable targets for threat actors looking to exploit that data for financial or other gains.”

This has seen lawmakers strive to keep up with the evolving ways in which both established and emerging industries leverage technology to collect and monetise personal data and implement regulations designed to mitigate the risks of personal data exposure, she explains.

Protecting personal information

In South Africa, the Protection of Personal Information Act (Popia), outlines conditions for responsible parties to lawfully process personal information of data subjects, including both natural and juristic persons. “Popia places the responsibility of compliance on whoever determines the purpose and manner of processing personal information; it does not mandate obtaining consent from data subjects for processing, nor does it prohibit processing altogether,” says Steyn.

Popia consists of eight general conditions and three additional conditions that must be met by the responsible party. Moreover, the responsible party is also accountable for ensuring their operators (those processing data on their behalf) adhere to these conditions.

According to Steyn, this legislation is crucial as it safeguards data subjects from various harms, such as theft and discrimination. Importantly, noncompliance with Popia poses significant risks, including reputational damage, financial penalties, imprisonment and the possibility of compensating affected data subjects. Among these risks, the failure to protect account numbers carries particularly severe consequences.

“Moreover, regulations seek to uphold individuals’ right to privacy. To ensure effective data protection, regulators have been given the authority to impose harsh penalties on those who fail adequately to protect personal information.”

The department of justice & constitutional development found this out the hard way in May, Steyn says, as the Information Regulator issued an infringement notice, ordering the department to pay a R5-million fine for its failure to provide evidence of security improvements following a ransomware attack in 2021.

Unfortunately, many organisations view traditional DLP solutions as a stumbling block to business operations and security, for a range of reasons. For one, they had difficulty identifying and understanding how PII is used within the business, and while they understand they are capturing PII, they have little to no visibility as to how that data is being used daily.

Multiple risks, many sources

In today’s landscape. PII can be used (and put at risk) in many structured and unstructured formats and applications, including moving PII through web applications, messaging apps, screenshots, e-mail attachments and cloud storage services, Steyn adds. Additionally, the majority of DLP solutions require organisations to build a classification schema for all sensitive data and then search the enterprise – sometimes for months, maybe even years – to identify all instances of the data before it can begin protecting that data.

“Also, many DLP solutions were designed for business environments of 20 years ago, with applications running locally and all workers operating within the corporate network. They had granular rules dictating what each group of users could do with each class of data, leading to inevitable false alerts, frustrated users and security problems. In short, they were inadequate tools in today’s fight against cybercrime.”

Maintaining compliance with any regulatory mandate requires continuous, thorough diligence, as new sources of data are constantly emerging due to the needs of the business and the shifting regulatory environment, Steyn says.

Robust DLP solutions

Unlike legacy DLP, there are modern DLP solutions that help address today’s risks effectively. Having a next-gen DLP solution that incorporates artificial intelligence and machine learning capabilities, DLP can now be seen as an enabler to help organisations successfully implement a DLP strategy and be seen as an integral part of any robust data loss prevention strategy. Such a strategy serves to safeguard critical data, protect intellectual property and ensure compliance with relevant regulations. DLP systems play a key role in achieving these objectives by preventing the loss, mishandling or unauthorised access of confidential and classified company data, helping entities to fortify their data security and establish a safer digital environment, she says.

For modern business practices, the implementation of advanced DLP technologies has become crucial. These tools continually monitor, detect and block the transmission of confidential information beyond the company’s network. By employing sophisticated algorithms, next-gen DLP technology can intelligently identify any unauthorised transfer of data that requires intervention.

Addressing a critical challenge

DLP can help South African organisations address the critical challenge of adhering to the principles of Popia and ensuring the protection of personal information. By implementing a robust DLP strategy, they can effectively enforce Popia and strengthen data protection efforts. “Next-gen DLP technology can provide the necessary capabilities to identify sensitive data, and monitor usage, before having to build and enforce policies, thereby already reducing the risk of data breaches and fostering trust with stakeholders,” she says.

For example, Next DLP’s data protection solution, Reveal, uncovers risk, educates workforces, and helps companies meet security, compliance and regulatory requirements. Unlike legacy DLP, Reveal is a flexible, cloud-native, ML-powered solution built with today’s advanced threat landscape in mind.

“By embracing DLP as an essential component of their data protection arsenal, South African entities can not only meet legal obligations, but also cultivate a culture of privacy, accountability and transparency,” Steyn says.

About Next
Next DLP (“Next”) is a leading provider of insider risk and data protection solutions. The Reveal Platform by Next uncovers risk, stops data loss, educates employees, and fulfils security, compliance and regulatory needs. The company’s leadership brings decades of cyber and technology experience from Fortra (previously HelpSystems), DigitalGuardian, Crowdstrike, Forcepoint, Mimecast, IBM, Cisco and Veracode. Next is trusted by organisations big and small, from the Fortune 100 to fast-growing healthcare and technology companies. For more, visit www.nextdlp.com or connect on LinkedIn or YouTube.