Data protection D-day is here – SA companies take heed

Featured

gdrpGDPR is here, and for organisations that deal with any personal information relating to EU member states, non-compliance will be ruinous.

The countdown has ended. D-day for enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) is here.

As of today, 25 May 2018, penalties will begin rolling in for organisations that have not yet taken the necessary steps to ensure they are compliant with this restructured – and considerably more stringent – set of data protection regulations.

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection for EU citizens.

But just because the GDPR is an EU regulation, South African organisations are by no means off the hook. On the contrary, experts warn, local companies need to take the GDPR – positioned as one of the most significant changes in data privacy regulation in 20 years – very seriously.

The inescapable fact is, any South African company that handles personal data connected to the EU has to comply with the GDPR, and failure to do so will be met with the same major consequences EU organisations face for non-compliance.

Far-reaching forces

Over recent decades, not only has personal data has become an increasingly important corporate asset that needs to be handled with extreme care, it has also become geographically agnostic. This means that, today more than ever, with the exponential growth of data propagated across borders, organisations globally need to take a staunch and unified approach to guarding it.

South African organisations, big or small, are no different – and the GDPR is not the only government-led product of this hugely digital age, nor will it be the last, it is merely the latest one to be enforced.

Leilani Smit, compliance professional at Smit Compliance (Pty) Ltd, notes that the GDPR applies to any local organisation that holds or processes data on EU citizens, regardless of the location of its head office. “This includes companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organisations.”

Leon van der Merwe, head of digital at customer communication firm PBSA and director of local digital signature and workflow solution SignFlow, adds that any South African entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

World Wide Worx MD, Arthur Goldstuck, says the effects of the GDPR will be far-reaching due to the fact that the EU is SA’s biggest trade partner. “[On top of this], any company that does business with a company that has to comply with GDPR, will also have to comply, to ensure the client is in compliance.”

GDPR vs POPI

Fortunately for SA, details around the country’s own local version of data protection policy – the Protection of Personal Information (POPI) Act – have been highly publicised since 2013, and many companies will already be familiar – some even largely compliant – with what is expected of them in terms of data protection.

Summing up SA’s POPI Act, Michalson’s says: “Essentially, the purpose of [POPI] is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.”

Although – unlike the GDPR – it is still not known when POPI will come into effect, what is known is that companies will have a one-year transitional phase in which to comply once POPI’s implementation date is made public.

Smit says, should a local company already be compliant with international legislation such as GDPR, the implementation of policies to comply with POPI “should be a breeze and not require anything other than normal company practices and procedures”.

Van der Merwe says POPI and GDPR are similar in that both are intended to strengthen the protection of individuals’ personal information and privacy, and it is precisely this element – intention – that is key here, says Goldstuck.

The high price of non-compliance

Another area in which both sets of rules are similar, is in the hefty fines that come with non-compliance.

In a nutshell: breach rules laid out in the POPI Act, and face a R10 million fine and/or a jail sentence; fail to comply with the GDPR’s regulations, and be prepared to be slapped with a fine of up to €20 million (about R290 million) – or 4% of annual sales (whichever is greater).

Smit comments: “In South African terms, POPI already poses strict penalties for non-compliance, however as far as our Rand stretches, the GDPR’s penalties will definitely cause sleepless nights.”

Although possibly the biggest concern for companies, Smit notes that financial implications are not the only implications they should be worried about. “Not only can non-compliance result in fines and penalties set by the legislation itself, but [the] reputational damage of not processing information correctly, can often be more damaging that the initial penalty itself.”

It is this high price of non-compliance IT and legal experts hope will drive South African companies to do the right thing – not only for themselves, but ultimately for their customers – and fervently strive to meet GDPR compliance criteria.

Consumer-centric control

Van der Merwe says it is all about the consumer. “Both GDPR and POPI were ultimately created to protect the consumer’s privacy. We are all someone’s consumer, and even small businesses owners need to think carefully and logically about areas in their business where personal information is processed or stored, and what vulnerabilities may exist in their processes.

“For instance, we all receive CVs that contain heaps of personal and even sensitive information. Often, after a host of interviews, only the person’s CV that is employed, is securely transferred to a digital or physical vault in HR. What happens to the rest of the CVs that did not make it? It is the responsibility of any business to have policies and procedures to timeously and responsibly destroy such information. Simply identifying these vulnerabilities and implementing logical measures to manage them, is a good start for any size business.

“GDPR is a good thing that could be very bad news for companies, if they fail to provide evidentiary and auditable processes and adequate IT security to protect personal data.”

Goldstuck adds that it is not only important, but essential, that South African companies have a global view on data protection. “Something as simple as having a website hosted on an international platform can make a company liable to sanction under GDPR.”

Teaming up with tech

When it comes to local companies complying with the seemingly daunting and complicated GDPR in a relatively pain-free way, experts agree technology will be key. Software systems that offer automation, content management, enterprise resource planning and accounting, among others, will become a lifeline for many companies in their quest to comply.

Van der Merwe says existing paper-based processes and antiquated electronic systems that were created prior to factors such as the GDPR and POPI, pose major risks of contravening their laws and directives. “It is all about how businesses – and governments themselves – are going to align their physical and data processing practices with the new requirements and legislation. New regulations that enforce concepts such as the right to be forgotten pose major challenges if not considered in the process from the outset.”

Goldstuck says, while the data protection laws necessitate considerable changes in the ways businesses operate and interact with customers, good compliance systems will provide most of the safeguards they need.

“Businesses will have to get permission for almost every interaction with customers, they will have to become more discerning in what information they require from customers, and they will have to institute strict compliance systems to ensure they do not fall foul of these laws. As a result, compliance officers, CIOs and CTOs will have more direct roles to play in customer strategy.”

Don’t delay

Although not yet enforceable, the commencement date for POPI has been looming large on the horizon for some time now, with many expecting it by the end of 2018.

Despite this, say experts, many organisations are far from being ready. Goldstuck says: “Most large businesses have geared themselves up to comply with POPI, although many have not put this gearing up into effect. However, there is also an impression that many companies are simply not bothering until they are forced.”

Forrester’s 2018 predictions indicate that a whopping 80% of firms will not comply with GDPR regulations by May this year.

This has to change – and fast – says Smit. “Businesses can no longer just take a backseat and hope this will pass by or fly over.  Active steps will have to be taken in an organisation, for instance staff training, risk assessments and creating an ethical culture within an organisation, specifically with regards to processing personal information.”

 

 

[REFERENCES]

  1. EUR-Lex – Access to European Law
  2. org – Web learning resources for the EU General Data Protection Regulation
  3. Government Gazette (justice.gov.za) – Act No. 4 of 2013: Protection of Personal Information Act, 2013
  4. Michalson’s – POPI Act Summary in Plain Language
  5. Forrester – Predictions 2018: A Year of Reckoning

Data protection: SA companies need to take a global stance

Featured

how-to-comply-with-the-data-protection-act-457501399With the implementation of the EU’s data protection laws just around the corner, local entities need to study up on how it could affect them.

D-day for implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) is just three months away – and South African organisations are by no means off the hook.

If you are a South African entity that handles individuals’ personal data, you will be acutely aware of our country’s data protection law – the Protection of Personal Information (POPI) Act – but have you considered how the looming GDPR affects the way you manage clients’ personal information?

The fact of the matter is, if you are a locally-based business that offers goods or services to EU customers, you also deal with personal information or data relating to EU citizens’ – and you are just as responsible for complying with the GDPR as any EU business.

Leon van der Merwe, head of digital at customer communication firm PBSA, points out that any entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

GDPR vs POPI

Van der Merwe says it is crucially important for local companies with dealings abroad to do their homework and familiarise themselves with the GDPR’s ground rules. “Companies could be fined heavily under GDPR regulations if they fail to provide evidentiary and auditable processes, as well as adequate IT security, to protect personal data.”

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection EU citizens.

Non-compliance with the GDPR comes with a hefty fine of up to €20 million (about R290 million) – or 4% of annual sales.

Similar to SA’s POPI Act, the GDPR is all about data protection. Data includes things like a person’s name, email address and phone number, as well as information collected by website cookies like internet browsing habits.

Breaching rules laid out in the POPI Act comes with a R10 million fine and/or a jail sentence.

Van der Merwe summarises the parallels between the two data-protection directives: “POPI and GDPR are similar, in that they both aim to strengthen the protection of personal information. They differ in their approach, in that the GDPR takes a wider, more global perspective that includes anyone, anywhere either controlling or processing – or both – data relating to EU citizens.”

Auditable business processes

A big part of compliance, when it comes to both the POPI Act and the GDPR, specifically involves audit trails – something PBSA’s digital signature and workflow product, SignFlow, is heavily centred on.

For evidentiary purposes and in order for any company to assert GDPR compliance, the automated management of an audit trail is imperative.

Van der Merwe says SignFlow is can assist customers in their strategy to automate and digitise processes in a responsible and compliant manner. “Business Process Automation is at the forefront of our technology development at SignFlow, including tools like DocFlow, CaseFlow and our digital customer on-boarding tools.”

At the core of SignFlow, he says, is Public Key Infrastructure (PKI). “PKI manages users’ private keys, and signs and secures documents using Public Key Cryptography. Not only does this make documents tamper-evident after they’ve been signed, but the entire operation is conducted in a secure network over encrypted secure socket layers between the public, personal devices and private servers.”

Unlike paper files and systems managing email attachments, this portal fully controls and audits the workflow and communication channels between interacting parties. “This greatly reduces the risk of data leaks,” says van der Merwe.

“The system enhances non-repudiation, creating a digital trail of undeniable events that prove intent and identity.”

With GDPR set to come into effect on 25 May 2018, and the high stakes attached to non-compliance, South African companies simply cannot afford not to take a global view on data protection. “The protection of personal information goes far beyond just the POPI Act for local companies dealing with international customers,” says van der Merwe.

 

[REFERENCES]

  1. Digiday – For the GDPR-curious: WTF is the Article 29 Working Party?
  2. The Digiday Guide to GDPR (PDF)
  3. The Sun – What is GDPR, what does it stand for, when is the deadline in 2018 and how can you check if a business is compliant?
  4. Michalsons – What does the GDPR mean for the POPI Act?
    POPI commencement date or POPI effective date starts the clock
  5. Wikipedia – General Data Protection Regulation
  6. IOL – Protection of Personal Information Act soon to become a reality
  7. ITWeb – Unpacking the POPI Act: The ins and outs of protecting personal information

SignFlow ties up with Accfin to digitise accounting processes

Featured

The integration of two state-of-the-art software platforms transports the accounting profession into a new world of digitisation.

Digital signature workflow solution SignFlow and accounting software firm Accfin have integrated their respective software platforms, in a move that places the accounting profession securely in a new and exciting world of digitisation.

Accfin, a local software firm leading the way in automation of back-office systems for accounting and auditing companies, grew out of an accounting firm over 20 years ago. The recent tie-up with SignFlow – a locally developed and internationally recognised digital signature solution – essentially automates the entire communication process involved in the accounting practice.

Leon van der Merwe, head of digital at SignFlow parent company PBSA, explains, “By using the SignFlow feature in Accfin software, you eliminate the need for print, courier and e-mailing of sensitive documents to customers – and then having to wait days, even weeks for a response.

“SignFlow is built on a powerful, digital workflow engine that tracks progress and instils accountability and auditability. Apart from the obvious environmental advantages the solution offers, the value of saving time through increased efficiency, is most valuable to accountants, who work under tremendous time pressure.”

Accfin MD Mark Silberman says the integration with SignFlow “changes the state of play” in the accounting market place. “It automates the communication process. Our software allows accounting firms to communicate with their clients. The integration of SignFlow with [Accfin’s] Sky Software allows the customers of the accountant to authorise the filing of tax returns and approve company resolutions.”

Accfin, which strives to provide state-of-the-art back office systems to South African accounting firms, currently provides automation software across the sector – from large international firms, to small sole practitioners.

Van der Merwe says SignFlow is proud to be associated with Accfin Software – a company that is “definitely leading the way in automating back office systems for accounting and auditing firms”.

“SignFlow is fast becoming the most trusted digital signature workflow solution in South Africa, especially within the auditing and financial sectors,” concludes Van der Merwe.

Draftworx, SignFlow integration yields SA first

Featured

A recent partnership between the two software platforms brings a cutting-edge automation solution to the accounting and auditing industry.

In a move that has seen the birth of cutting-edge technology – the first of its kind in South Africa – SignFlow has partnered with Draftworx, addressing a critical need identified among auditors and corporate companies that draft financial statements.

Draftworx provides automated drafting and working paper financial software to more than 2 500 accounting and auditing firms. The company went to market six and a half years ago, bringing the industry easy-to-learn and easy-to-use automation software, which allows  accountants and auditors to generate International Financial Reporting Standards  (IFRS)/IFRS SME compliant financial statements and ISA audit, review, and compilation engagement compliance.

According to Leon van der Merwe, head of digital at SignFlow parent company PBSA, the integration between the two software platforms came about when a massive need among auditors and corporates that prepare their own financial statements was identified – that of automating and digitising the process of getting financial statements and engagement documents signed off by company directors.

“Auditors can now automate and digitise their document delivery processes using the DigiSign module in the Draftworx platform to distribute documents electronically for customers to sign, using legally binding SignFlow digital signatures. The distribution and signing process is completely digital and auditable, entirely removing the need to print, scan and deliver paper-based financial statements and engagement contracts.”

Draftworx CEO Earl Steyn says the company, which aims to be in the cloud by year-end, sees SignFlow becoming one of its core technologies and marketing advantages. “Accountants and auditors can reduce time wastage – as well as waiting periods – by having their clients sign all their documentation offsite and at their leisure.”

Steyn adds his experience with SignFlow – a locally developed and internationally recognised digital signature and workflow solution – has been “phenomenal”. He says the team pays attention to detail and is willing to customise SignFlow to Draftworx and its clients’ requirements.

Van der Merwe says the SignFlow team is proud to be associated with Draftworx software, “which is leading the way in IFRS/IFRS SME compliant financial statements and ISA audit software in South Africa and across Africa”.

ACS partnership bolsters digital certificate security

Featured

SignFlow has teamed up with Altech Card Solutions to offer Thales hardware security modules to its digital signature customers.

In a move that will see users’ private keys and personal digital certificates receiving a serious security boost, SignFlow has partnered with Altech Card Solutions (ACS), a division of Altron TMT, to offer Thales HSMs (hardware security modules) to digital signature customers.

Using SignFlow’s PKCS#11 cryptographic interface, SignFlow uses Thales NShield Connect HSMs to perform highly specialised cryptographic operations, and to fully manage and secure private keys and personal digital certificates.

Head of digital at SignFlow’s parent company PBSA, Leon can der Merwe, says the partnership with ACS sees SignFlow extending its integration reach to include the Thales NShield range of network attached, FIPS 140-2 Level 3 HSMs.

“Apart from deploying the NShield devices in the highly-secure SignFlow Cloud, we now also offer the NShield range to corporate customers who would like to localise and manage their SignFlow private keys in private data centres.”

The SignFlow HSMs are directly integrated with multiple local and global CA’s (Certificate Authorities) to offer stringent, legally compliant Advanced Electronic Signatures (AES), Qualified Electronic Signatures (QES) and Adobe Approved Trust List (AATL) certificates, which are applied to documents through its digital signature application.

A division of Altron TMT (Pty) Ltd, ACS was formed in 1993 and is today firmly established as a leading player in the secure electronic transactions market.

It is Thales’ established track record in the payments security space and global footprint in hardware and software encryption solutions that makes this partnership so advantageous, says ACS.

SignFlow, an enterprise-class digital signature and document workflow application, was born in a digital era that has seen new business opportunities emerging as paper-based systems are replaced by digital platforms.

SignFlow digital signatures are powered by robust public-key infrastructure (PKI) technology, which is recognised as best practice for ensuring digital accountability. SignFlow digital signatures offer an effective, secure and legally compliant method of providing accountability during electronic transactions.

“Our partnership with ACS will benefit customers across the spectrum – including consumers using SignFlow’s SignFREE to sign documents, businesses using the SignFlow Cloud to distribute documents and government and corporate institutions using SignFlow’s Enterprise Hybrid Servers and Private Network Servers to digitally sign and workflow documents for sign-offs,” says Van der Merwe.

Goodbye ink, hello digital signatures

Featured


With the business world turning increasingly to digitally signed documents, the hand-written signature is on its last legs.

digital-signing

With more businesses and entities than ever before turning to digitally signed documents to solve security issues and improve logistics, the value and lifespan of the hand-written signature has come under serious scrutiny.

While there is a certain sentimentality – perhaps an emotional attachment bred at school level – still attached to an individual’s unique autograph, there are overarching ideals that suggest a future without it.

In fact the hand-written or ink signature has, in recent times, been likened to landline telephones and typewriters – age-old tools that, beyond their nostalgic appeal, are on their death bed. In the corporate world, which is increasingly aspiring towards a paperless future, pen-and-paper signing has been dubbed the enemy.

Leon van der Merwe, head of digital at PBSA and co-founder of South African based digital signature solution SignFlow, believes the hand-written signature’s time is slowly but surely coming to an end. “Ink signatures have been a part of human culture for aeons and, for their time, they had their place. But with today’s technology, there is no reason for us to hang on to something that, for all intents and purposes, is about as dependable as a fake Facebook profile.”

Ink signature snags

Van der Merwe points out the biggest problem with hand-written signatures is that they can easily be forged. “There are a number of ways in which digital signatures trump hand-written ones, but the most significant and compelling feature of digital above ink is that of security.

“Digital signatures use a cryptographic operation that creates a hash-code, which is unique to both the signer and the content. It cannot be copied, forged or tampered with. The whole process provides irrefutable proof of the signer’s identity, protects the data integrity of the document and provides non-repudiation of signed documents.”

Apart from ink signatures being prone to forgery, a general attitude of inattentiveness has crept in over the years, making them quite literally a joke. This is most applicable when it comes to transaction authorisation.

“When last did you notice a waiter or retail clerk checking the signature you pen on the receipt? And do you always sign legibly and consistently?” asks Van der Merwe.

As far back as 2001, Internet humourist John Hargrave experimented with this notion in a credit card prank in which he forged outlandish signatures on receipts. He reportedly signed receipts with, among others, “Mariah Carey”, “Beethoven” and “I stole this card”. Hargrave even signed in hieroglyphics. None of the merchants noticed. (Hargrave recounts his famous Credit Card Prank in his 2007 book, Prank the Monkey)

‘Sign here’ has been replaced with ‘Click here’

Former US president Bill Clinton lent credence to the solidity of signing digitally in 2000, when he signed the first US bill into law electronically.

Renowned Amercian business magazine, Forbes, begins its article on Clinton’s watershed signing with the line, “‘Sign here’ has just been replaced with ‘click here’.”

Another turning point in the life of the digital signature took place earlier this year, in July, when the European Union effected new guidelines for electronic signatures, giving them the same legal power as hand-written signatures.

“The benefits of employing digital business processes far outweigh the paper-reliant processes of days gone by and it’s only a matter of time before digital signatures take over from their expiring ink-on-paper counterparts,” says Van der Merwe.

Not only are digital signatures undeniably more secure and unable to be forged, he concludes, they are legally sound. “Importantly, they also create a digital audit trail and they don’t rely on filing, printing, scanning or back-and-forth emailing – paper-based processes that cost companies profoundly, in terms of both time and money.”

REFERENCES

SignFlow

The Verge

New Republic

Forbes

Credit vetting – an essential key to SME success

Featured

credit-vet

For SMEs, sound risk management via credit vetting is not only advisable, it is absolutely essential.

Wasting precious time and resources chasing down debtors for money is not only undesirable for any business, it can be downright destructive. The good news is, there is a way to avoid this – and it is inexpensive and painless. Two words: credit check.

If you are in business, you will know that cash flow is king. This is especially true in the in the small to medium enterprise (SME) environment, where finances are particularly tight. Clients that default on payments can – and inevitably do – seriously jeapordise the success of your company.

A foolproof way to protect your business – and ultimately boost its financial fitness – is through consistent credit vetting.

Credit vetting is simply the process of affirming the credit worthiness of customers in terms of financials. Checking the credit status of your clients greatly minimises uncertainty around whether your invoices will be paid, as it provides an overview of their credit rating and reveals whether there are any judgements against them, or whether they have defaulted on payments in the past.

Simple step towards success

According to Leon van der Merwe, senior business development manager at customer communications firm PBSA, the percentage of small simply overlooking this critical process is staggering.

“Simply taking the steps to check the credit status of companies and directors before doing business with them is straightforward, very affordable and it could make all the difference.”

A detailed credit application document with the correct capture information, credit vetting consent and related terms of agreement will protect the financial wellbeing of your organisation, he adds.

All of this can be easily accessed via pbVerify, a PBSA product that offers a user-friendly online credit vetting service. Specifically for small to medium sized businesses, pbVerify is connected to all major credit bureaux and credit data providers and is credible and accurate.

“Neglecting this crucial step towards managing a successful business can cost you profoundly. Having an overview of the credit worthiness of potential customers, on the other hand, will help you make better decisions, in turn saving you time, trouble and money,” concludes Van der Merwe.

For a comprehensive view of all pbVerify’s vetting solutions, please visit www.pbverify.co.za