Last month saw the uncovering of South Africa’s largest data leak to date, which revealed that the personal data records of over 60 million individuals have been made publicly available, placing them at risk of identity theft and other cyber-related crimes. This has awakened a renewed interest in the looming enforcement of the Protection of Personal Information Act (PoPI). Had PoPI already been in play, the organisation responsible for the data leak, Jigsaw Holdings, would have to be held accountable not only for their failure to act in a manner that proves their dedication to protecting personal information, but also for their failure to notify the incumbents suitably and in time.
While many organisations have viewed PoPI as a necessary evil, the benefits of compliance – and underpinning data governance structures – are quickly being realised. Yet, one of the biggest mistakes that organisations make when it comes to PoPI compliance is thinking that it exists primarily to protect data from external attacks. Many companies assume that because they have the necessary data security measures in place, that they are covered. Data security, however, is only one of the components of PoPI compliance and, if a breach does occur, the organisation still carries a considerable responsibility toward the remaining seven components.
This begs the question: how ready are South African organisations to manage a data breach, should one occur?
PoPI and the governance link
The PoPI Act was promulgated in 2013, and requires companies to take – and be able to prove – adequate precautions against data loss. It signals a shift in how organisations think about data privacy, moving the focus away from the actual data toward the fundamental rights of the data subjects themselves.
PoPI requires that organisations put processes in place to ensure that personal data is only used for the purpose for which it was intended, that it is protected from unauthorised access, and that there is accountability. This accountability requires that organisations take the necessary steps to notify both the Regulator and the data subject in the event of a breach – something that failed to happen with the recent mass data leak.
Most importantly, PoPI requires that sound data governance principles are proven to have been in place throughout the life cycle of personal data. A data governance policy which ties into the eight pillars of PoPI will not only serve to reduce the risk of breach but will also ensure that, in the event of a breach, the organisation is able to protect itself and minimise the repercussions.
PoPI outlines eight components, or pillars, for compliance. They are as follows:
1. Accountability – ensuring that the organisation is responsible for the manner in which they process personal data, and manage breaches.
2. Processing Limitations – outlines the limitations that an organisation needs to work within, in order to process personal data.
3. Purpose Specification – defines that personal data may only be retained and used for specific purposes.
4. Further Processing Limitation – detailing the requirements for additional use of personal data beyond its original purpose.
5. Information Quality – outlining the requirements for data quality.
6. Openness – explains the level of transparency required with regards to processing, use, storage and possible breach of an individual’s personal data.
7. Security Safeguards – defining what security measures and proofs are required to protect personal information, including access authorisation and notification of security compromises.
8. Data Subject Participation – outlining the parameters for the organisation’s interaction with the data subject in terms of access, data correction and use of their data.
These components are all manageable under a proper data governance policy, which exists to guide an organisation on how to best access, manage, store and use personal data as well as who may do so. Simply put, if everyone in an organisation knows their own role and limitations with regards to the handling of personal data, and are following proper governance structures, the risk of breach is dramatically reduced.
Setting up a data governance strategy
Data governance comprises three parts: policy, implementation (echoing the PoPI Act’s requirement), and education. The policy outlines an organisation’s responsibility towards personal – and other – data, including who may access and use what data, and how. The implementation governs the delivery of proper measures to, for example, secure the data, incorporating both data security tools and the processes that organisations follow to secure data. Implementation must also define the process that will be followed in the event of a breach.
Education, however, may the most important aspect of data governance. This requires clearly communicating to everyone within (and even outside of) an organisation their responsibilities with respect of (and other) personal data, what they have to do to ensure proper use and security, and what the ramifications of non-compliance are.
Creating, defining and implementing a data governance policy that complies with PoPI Act (and GDPR, if required to do business in Europe) is an ongoing exercise, particularly where large quantities of data are involved. However, it can be achieved with the help of specialised organisations who are able to understand your business, the risks involved and how to define, or redefine, the processes and mechanisms that enable a sound data governance policy. One which will ensure your business is prepared in the event of a data breach.