Data protection: SA companies need to take a global stance

Featured

how-to-comply-with-the-data-protection-act-457501399With the implementation of the EU’s data protection laws just around the corner, local entities need to study up on how it could affect them.

D-day for implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) is just three months away – and South African organisations are by no means off the hook.

If you are a South African entity that handles individuals’ personal data, you will be acutely aware of our country’s data protection law – the Protection of Personal Information (POPI) Act – but have you considered how the looming GDPR affects the way you manage clients’ personal information?

The fact of the matter is, if you are a locally-based business that offers goods or services to EU customers, you also deal with personal information or data relating to EU citizens’ – and you are just as responsible for complying with the GDPR as any EU business.

Leon van der Merwe, head of digital at customer communication firm PBSA, points out that any entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

GDPR vs POPI

Van der Merwe says it is crucially important for local companies with dealings abroad to do their homework and familiarise themselves with the GDPR’s ground rules. “Companies could be fined heavily under GDPR regulations if they fail to provide evidentiary and auditable processes, as well as adequate IT security, to protect personal data.”

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection EU citizens.

Non-compliance with the GDPR comes with a hefty fine of up to €20 million (about R290 million) – or 4% of annual sales.

Similar to SA’s POPI Act, the GDPR is all about data protection. Data includes things like a person’s name, email address and phone number, as well as information collected by website cookies like internet browsing habits.

Breaching rules laid out in the POPI Act comes with a R10 million fine and/or a jail sentence.

Van der Merwe summarises the parallels between the two data-protection directives: “POPI and GDPR are similar, in that they both aim to strengthen the protection of personal information. They differ in their approach, in that the GDPR takes a wider, more global perspective that includes anyone, anywhere either controlling or processing – or both – data relating to EU citizens.”

Auditable business processes

A big part of compliance, when it comes to both the POPI Act and the GDPR, specifically involves audit trails – something PBSA’s digital signature and workflow product, SignFlow, is heavily centred on.

For evidentiary purposes and in order for any company to assert GDPR compliance, the automated management of an audit trail is imperative.

Van der Merwe says SignFlow is can assist customers in their strategy to automate and digitise processes in a responsible and compliant manner. “Business Process Automation is at the forefront of our technology development at SignFlow, including tools like DocFlow, CaseFlow and our digital customer on-boarding tools.”

At the core of SignFlow, he says, is Public Key Infrastructure (PKI). “PKI manages users’ private keys, and signs and secures documents using Public Key Cryptography. Not only does this make documents tamper-evident after they’ve been signed, but the entire operation is conducted in a secure network over encrypted secure socket layers between the public, personal devices and private servers.”

Unlike paper files and systems managing email attachments, this portal fully controls and audits the workflow and communication channels between interacting parties. “This greatly reduces the risk of data leaks,” says van der Merwe.

“The system enhances non-repudiation, creating a digital trail of undeniable events that prove intent and identity.”

With GDPR set to come into effect on 25 May 2018, and the high stakes attached to non-compliance, South African companies simply cannot afford not to take a global view on data protection. “The protection of personal information goes far beyond just the POPI Act for local companies dealing with international customers,” says van der Merwe.

 

[REFERENCES]

  1. Digiday – For the GDPR-curious: WTF is the Article 29 Working Party?
  2. The Digiday Guide to GDPR (PDF)
  3. The Sun – What is GDPR, what does it stand for, when is the deadline in 2018 and how can you check if a business is compliant?
  4. Michalsons – What does the GDPR mean for the POPI Act?
    POPI commencement date or POPI effective date starts the clock
  5. Wikipedia – General Data Protection Regulation
  6. IOL – Protection of Personal Information Act soon to become a reality
  7. ITWeb – Unpacking the POPI Act: The ins and outs of protecting personal information

Goodbye ink, hello digital signatures

Featured


With the business world turning increasingly to digitally signed documents, the hand-written signature is on its last legs.

digital-signing

With more businesses and entities than ever before turning to digitally signed documents to solve security issues and improve logistics, the value and lifespan of the hand-written signature has come under serious scrutiny.

While there is a certain sentimentality – perhaps an emotional attachment bred at school level – still attached to an individual’s unique autograph, there are overarching ideals that suggest a future without it.

In fact the hand-written or ink signature has, in recent times, been likened to landline telephones and typewriters – age-old tools that, beyond their nostalgic appeal, are on their death bed. In the corporate world, which is increasingly aspiring towards a paperless future, pen-and-paper signing has been dubbed the enemy.

Leon van der Merwe, head of digital at PBSA and co-founder of South African based digital signature solution SignFlow, believes the hand-written signature’s time is slowly but surely coming to an end. “Ink signatures have been a part of human culture for aeons and, for their time, they had their place. But with today’s technology, there is no reason for us to hang on to something that, for all intents and purposes, is about as dependable as a fake Facebook profile.”

Ink signature snags

Van der Merwe points out the biggest problem with hand-written signatures is that they can easily be forged. “There are a number of ways in which digital signatures trump hand-written ones, but the most significant and compelling feature of digital above ink is that of security.

“Digital signatures use a cryptographic operation that creates a hash-code, which is unique to both the signer and the content. It cannot be copied, forged or tampered with. The whole process provides irrefutable proof of the signer’s identity, protects the data integrity of the document and provides non-repudiation of signed documents.”

Apart from ink signatures being prone to forgery, a general attitude of inattentiveness has crept in over the years, making them quite literally a joke. This is most applicable when it comes to transaction authorisation.

“When last did you notice a waiter or retail clerk checking the signature you pen on the receipt? And do you always sign legibly and consistently?” asks Van der Merwe.

As far back as 2001, Internet humourist John Hargrave experimented with this notion in a credit card prank in which he forged outlandish signatures on receipts. He reportedly signed receipts with, among others, “Mariah Carey”, “Beethoven” and “I stole this card”. Hargrave even signed in hieroglyphics. None of the merchants noticed. (Hargrave recounts his famous Credit Card Prank in his 2007 book, Prank the Monkey)

‘Sign here’ has been replaced with ‘Click here’

Former US president Bill Clinton lent credence to the solidity of signing digitally in 2000, when he signed the first US bill into law electronically.

Renowned Amercian business magazine, Forbes, begins its article on Clinton’s watershed signing with the line, “‘Sign here’ has just been replaced with ‘click here’.”

Another turning point in the life of the digital signature took place earlier this year, in July, when the European Union effected new guidelines for electronic signatures, giving them the same legal power as hand-written signatures.

“The benefits of employing digital business processes far outweigh the paper-reliant processes of days gone by and it’s only a matter of time before digital signatures take over from their expiring ink-on-paper counterparts,” says Van der Merwe.

Not only are digital signatures undeniably more secure and unable to be forged, he concludes, they are legally sound. “Importantly, they also create a digital audit trail and they don’t rely on filing, printing, scanning or back-and-forth emailing – paper-based processes that cost companies profoundly, in terms of both time and money.”

REFERENCES

SignFlow

The Verge

New Republic

Forbes