LAST month saw the uncovering of South Africa's largest data leak to date, which revealed that the personal data records of over 60 million individuals have been made publicly available, placing them at risk of identity theft and other cyber related crimes.
This has awakened a renewed interest in the looming enforcement of the Protection of Personal Information Act (PoPI).
Had PoPI already been in play, the organisation responsible for the data leak, Jigsaw Holdings, would have to be held accountable not only for its failure to act in a manner that proves its dedication to protecting personal information, but also for its failure to notify the incumbents suitably and in time
While many organisations have viewed PoPI as a necessary evil, the benefits of compliance - and underpinning data governance structures - are quickly being realised.
Yet one of the biggest mistakes that organisations make when it comes to PoPI compliance is thinking that it exists primarily to protect data from external attacks.
Many companies assume that because they have the necessary data security measures in place, they are covered. Data security, however, is only one of the components of PoPI compliance and, if a breach does occur, the organisation still carries a considerable responsibility towards the remaining seven components.
PoPI and the governance link
The PoPI Act was promulgated in 2013, and requires companies to take - and be able to prove - adequate precautions against data loss. It signals a shift in how organisations think about data privacy, moving the focus away from the actual data towards the fundamental rights of the data subjects themselves.
The requirements
PoPI outlines eight components, or pillars, for compliance. They are as follows:
These components are all manageable under a proper data governance policy, which exists to guide an organisation on how to best access, manage, store and use personal data as well as who may do so.
Simply put, if everyone in an organisation knows their own role and limitations with regards to the handling of personal data, and is following proper governance structures, the risk of breach is dramatically reduced.
Setting up a data governance strategy
Data governance comprises three parts: policy, implementation (echoing the PoPI Act’s requirement), and education. The policy outlines an organisation’s responsibility towards personal - and other - data, including who may access and use what data, and how.
The implementation governs the delivery of proper measures to, for example, secure the data, incorporating both data security tools and the processes that organisations follow to secure data. Implementation must also define the process that will be followed in the event of a breach.
Education, however, may the most important aspect of data governance. This requires clearly communicating to everyone within (and even outside of) an organisation their responsibilities with respect of (and other) personal data, what they have to do to ensure proper use and security, and what the ramifications of non-compliance are.
Creating, defining and implementing a data governance policy that complies with PoPI Act (and GDPR, if required to do business in Europe) is an ongoing exercise, particularly where large quantities of data are involved.
However, it can be achieved with the help of specialised organisations who are able to understand your business, the risks involved and how to define, or redefine, the processes and mechanisms that enable a sound data governance policy - one which will ensure your business is prepared in the event of a data breach.
- Gary Allemann is managing director at Master Data Management. Views expressed are his own.
* Sign up to Fin24's top news in your inbox: SUBSCRIBE TO FIN24 NEWSLETTER