Data protection: SA companies need to take a global stance

Featured

how-to-comply-with-the-data-protection-act-457501399With the implementation of the EU’s data protection laws just around the corner, local entities need to study up on how it could affect them.

D-day for implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) is just three months away – and South African organisations are by no means off the hook.

If you are a South African entity that handles individuals’ personal data, you will be acutely aware of our country’s data protection law – the Protection of Personal Information (POPI) Act – but have you considered how the looming GDPR affects the way you manage clients’ personal information?

The fact of the matter is, if you are a locally-based business that offers goods or services to EU customers, you also deal with personal information or data relating to EU citizens’ – and you are just as responsible for complying with the GDPR as any EU business.

Leon van der Merwe, head of digital at customer communication firm PBSA, points out that any entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

GDPR vs POPI

Van der Merwe says it is crucially important for local companies with dealings abroad to do their homework and familiarise themselves with the GDPR’s ground rules. “Companies could be fined heavily under GDPR regulations if they fail to provide evidentiary and auditable processes, as well as adequate IT security, to protect personal data.”

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection EU citizens.

Non-compliance with the GDPR comes with a hefty fine of up to €20 million (about R290 million) – or 4% of annual sales.

Similar to SA’s POPI Act, the GDPR is all about data protection. Data includes things like a person’s name, email address and phone number, as well as information collected by website cookies like internet browsing habits.

Breaching rules laid out in the POPI Act comes with a R10 million fine and/or a jail sentence.

Van der Merwe summarises the parallels between the two data-protection directives: “POPI and GDPR are similar, in that they both aim to strengthen the protection of personal information. They differ in their approach, in that the GDPR takes a wider, more global perspective that includes anyone, anywhere either controlling or processing – or both – data relating to EU citizens.”

Auditable business processes

A big part of compliance, when it comes to both the POPI Act and the GDPR, specifically involves audit trails – something PBSA’s digital signature and workflow product, SignFlow, is heavily centred on.

For evidentiary purposes and in order for any company to assert GDPR compliance, the automated management of an audit trail is imperative.

Van der Merwe says SignFlow is can assist customers in their strategy to automate and digitise processes in a responsible and compliant manner. “Business Process Automation is at the forefront of our technology development at SignFlow, including tools like DocFlow, CaseFlow and our digital customer on-boarding tools.”

At the core of SignFlow, he says, is Public Key Infrastructure (PKI). “PKI manages users’ private keys, and signs and secures documents using Public Key Cryptography. Not only does this make documents tamper-evident after they’ve been signed, but the entire operation is conducted in a secure network over encrypted secure socket layers between the public, personal devices and private servers.”

Unlike paper files and systems managing email attachments, this portal fully controls and audits the workflow and communication channels between interacting parties. “This greatly reduces the risk of data leaks,” says van der Merwe.

“The system enhances non-repudiation, creating a digital trail of undeniable events that prove intent and identity.”

With GDPR set to come into effect on 25 May 2018, and the high stakes attached to non-compliance, South African companies simply cannot afford not to take a global view on data protection. “The protection of personal information goes far beyond just the POPI Act for local companies dealing with international customers,” says van der Merwe.

 

[REFERENCES]

  1. Digiday – For the GDPR-curious: WTF is the Article 29 Working Party?
  2. The Digiday Guide to GDPR (PDF)
  3. The Sun – What is GDPR, what does it stand for, when is the deadline in 2018 and how can you check if a business is compliant?
  4. Michalsons – What does the GDPR mean for the POPI Act?
    POPI commencement date or POPI effective date starts the clock
  5. Wikipedia – General Data Protection Regulation
  6. IOL – Protection of Personal Information Act soon to become a reality
  7. ITWeb – Unpacking the POPI Act: The ins and outs of protecting personal information

ACS partnership bolsters digital certificate security

Featured

SignFlow has teamed up with Altech Card Solutions to offer Thales hardware security modules to its digital signature customers.

In a move that will see users’ private keys and personal digital certificates receiving a serious security boost, SignFlow has partnered with Altech Card Solutions (ACS), a division of Altron TMT, to offer Thales HSMs (hardware security modules) to digital signature customers.

Using SignFlow’s PKCS#11 cryptographic interface, SignFlow uses Thales NShield Connect HSMs to perform highly specialised cryptographic operations, and to fully manage and secure private keys and personal digital certificates.

Head of digital at SignFlow’s parent company PBSA, Leon can der Merwe, says the partnership with ACS sees SignFlow extending its integration reach to include the Thales NShield range of network attached, FIPS 140-2 Level 3 HSMs.

“Apart from deploying the NShield devices in the highly-secure SignFlow Cloud, we now also offer the NShield range to corporate customers who would like to localise and manage their SignFlow private keys in private data centres.”

The SignFlow HSMs are directly integrated with multiple local and global CA’s (Certificate Authorities) to offer stringent, legally compliant Advanced Electronic Signatures (AES), Qualified Electronic Signatures (QES) and Adobe Approved Trust List (AATL) certificates, which are applied to documents through its digital signature application.

A division of Altron TMT (Pty) Ltd, ACS was formed in 1993 and is today firmly established as a leading player in the secure electronic transactions market.

It is Thales’ established track record in the payments security space and global footprint in hardware and software encryption solutions that makes this partnership so advantageous, says ACS.

SignFlow, an enterprise-class digital signature and document workflow application, was born in a digital era that has seen new business opportunities emerging as paper-based systems are replaced by digital platforms.

SignFlow digital signatures are powered by robust public-key infrastructure (PKI) technology, which is recognised as best practice for ensuring digital accountability. SignFlow digital signatures offer an effective, secure and legally compliant method of providing accountability during electronic transactions.

“Our partnership with ACS will benefit customers across the spectrum – including consumers using SignFlow’s SignFREE to sign documents, businesses using the SignFlow Cloud to distribute documents and government and corporate institutions using SignFlow’s Enterprise Hybrid Servers and Private Network Servers to digitally sign and workflow documents for sign-offs,” says Van der Merwe.

Digital signature technology breakthrough for face-to-face signing

Featured

face to faceThe SignFlow team has made a technological breakthrough that gives users the ability to carry out face-to-face document signing and turn a simple electronic signature into a certifiable digital signature with a full audit trail, on the fly.

Ideal for face-to-face contractual signing, the new SignFlow feature allows users to have documents signed in a face-to-face environment, with a graphical signature that is linked to the signer’s identity, cellphone number and email address. This provides the SignFlow user the opportunity to witness the signature, which – backed by a digital certificate – is 100% legal.

While the use of electronic signatures obtained via mechanisms such as handheld signature pads is commonplace, SignFlow has taken the practice to the next level and is the only solution on the market that takes an e-signature and turns it into a digital signature, with the signer’s information embedded into a digital certificate.

SignFlow Face-to-Face is not just the scribble of a signature with a mouse – it is a fully-fledged, legally certifiable digital signature with all the security and non-repudiation benefits that come with it.

On top of this, the Face-to-Face signature from SignFlow has all the auditing advantages of a digital signature – another area in which it trumps electronic signatures. This means that, after the document has been signed and the PDF downloaded, the audit trail of the person that signed can be seen in the PDF document – allowing the user to validate the person’s signature using Adobe Acrobat.

A digital signature differs fundamentally from an electronic signature. An electronic signature has no active verification capability built into it – nor does it come with a traceable audit trail – leaving it wide open to fraud and repudiation.

A digital signature, on the other hand, is created using a cryptographic operation that creates a hash-code unique to both the signer and the content, so that it cannot be copied, forged or tampered with. In this case there is strong proof of the signer’s identity, and the data integrity of the document is totally protected.

ee publishers – Digital signatures with one click

August 6th, 2014, Published in Articles: EngineerIT

by Hans van de Groenendaal, features editor, EngineerIT

New, ground-breaking technology – called “CoSign Click” – is set to revolutionise how companies “on-board’” new customers. No cumbersome and time-consuming manual process of printing out forms, signing in pen, scanning and uploading or emailing the document.

Leon van der Merwe – Business Development Manager

Co-Sign Click is a digital signature solution which enables a company’s customers to sign on-line documents and forms electronically without them requiring a digital signature or any hardware signing device “Until now, signing electronically with a digital signature was only available to licensed subscribers of digital signature applications,” said Leon van der Merwe, business development manager of Pitney Bowes, the first company to introduce CoSign Click to South Africa.  “This new technology will be a boon for companies requiring customers to provide a once-off signature on a document or form.”

In South African law there are certain statutes that require a signature before a document can be considered valid. If this signature is to be applied electronically, the Electronic Communications and Transaction (ECT) Act of 2002 refers to an “advanced” electronic signature (AeS) and is the only type of electronic signature that is recognised as legally acceptable.

“We have partnered with ARX, a leading provider of digital signatures, to offer a legally compliant solution for digitally signing documents which can then be seamlessly integrated with an electronic document management system.”

There are three areas in which the technology ensures compliance: three “I”s: intent (to sign), identity (of the signer) and integrity (of the document).  After a person electronically signs a document the content of the document is protected. If changes are made to the signed document, the signature will no longer be valid. Digital signatures have become increasingly necessary in today’s international and local business world, as companies strive to automate and streamline their systems. CoSign Click provides a slick alternative to what has historically been a paper-intensive and inefficient process. “No printing or scanning, just a digital process”, said van der Merwe .

CoSign is said to be the most widely used digital signature solution. In 2013 it was recognised as “the strongest digital signature solution” in the Forrester Wave: E-Signatures report. Millions of people at large enterprises, SMBs, governments and cloud services around the world use CoSign every day on their computers and mobile devices to easily add secure digital signatures to documents in Word, Excel, PDF, SharePoint, OpenText, Oracle, Alfresco, Nintex, K2, and many other applications and file formats.

CoSign Click is an add-on component to collect digital signatures from partners, customers and other external parties. Documents that need to be signed are exported directly from existing workflows and securely sent to any external party from the CoSign Click interface. A web-based mobile-ready application is used to sign the document and back directly into the sender’s document management system.

View original article – ee publishers:

http://www.ee.co.za/article/digital-signatures-with-one-click.html

EngineerIT