Data protection: SA companies need to take a global stance

Featured

how-to-comply-with-the-data-protection-act-457501399With the implementation of the EU’s data protection laws just around the corner, local entities need to study up on how it could affect them.

D-day for implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) is just three months away – and South African organisations are by no means off the hook.

If you are a South African entity that handles individuals’ personal data, you will be acutely aware of our country’s data protection law – the Protection of Personal Information (POPI) Act – but have you considered how the looming GDPR affects the way you manage clients’ personal information?

The fact of the matter is, if you are a locally-based business that offers goods or services to EU customers, you also deal with personal information or data relating to EU citizens’ – and you are just as responsible for complying with the GDPR as any EU business.

Leon van der Merwe, head of digital at customer communication firm PBSA, points out that any entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

GDPR vs POPI

Van der Merwe says it is crucially important for local companies with dealings abroad to do their homework and familiarise themselves with the GDPR’s ground rules. “Companies could be fined heavily under GDPR regulations if they fail to provide evidentiary and auditable processes, as well as adequate IT security, to protect personal data.”

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection EU citizens.

Non-compliance with the GDPR comes with a hefty fine of up to €20 million (about R290 million) – or 4% of annual sales.

Similar to SA’s POPI Act, the GDPR is all about data protection. Data includes things like a person’s name, email address and phone number, as well as information collected by website cookies like internet browsing habits.

Breaching rules laid out in the POPI Act comes with a R10 million fine and/or a jail sentence.

Van der Merwe summarises the parallels between the two data-protection directives: “POPI and GDPR are similar, in that they both aim to strengthen the protection of personal information. They differ in their approach, in that the GDPR takes a wider, more global perspective that includes anyone, anywhere either controlling or processing – or both – data relating to EU citizens.”

Auditable business processes

A big part of compliance, when it comes to both the POPI Act and the GDPR, specifically involves audit trails – something PBSA’s digital signature and workflow product, SignFlow, is heavily centred on.

For evidentiary purposes and in order for any company to assert GDPR compliance, the automated management of an audit trail is imperative.

Van der Merwe says SignFlow is can assist customers in their strategy to automate and digitise processes in a responsible and compliant manner. “Business Process Automation is at the forefront of our technology development at SignFlow, including tools like DocFlow, CaseFlow and our digital customer on-boarding tools.”

At the core of SignFlow, he says, is Public Key Infrastructure (PKI). “PKI manages users’ private keys, and signs and secures documents using Public Key Cryptography. Not only does this make documents tamper-evident after they’ve been signed, but the entire operation is conducted in a secure network over encrypted secure socket layers between the public, personal devices and private servers.”

Unlike paper files and systems managing email attachments, this portal fully controls and audits the workflow and communication channels between interacting parties. “This greatly reduces the risk of data leaks,” says van der Merwe.

“The system enhances non-repudiation, creating a digital trail of undeniable events that prove intent and identity.”

With GDPR set to come into effect on 25 May 2018, and the high stakes attached to non-compliance, South African companies simply cannot afford not to take a global view on data protection. “The protection of personal information goes far beyond just the POPI Act for local companies dealing with international customers,” says van der Merwe.

 

[REFERENCES]

  1. Digiday – For the GDPR-curious: WTF is the Article 29 Working Party?
  2. The Digiday Guide to GDPR (PDF)
  3. The Sun – What is GDPR, what does it stand for, when is the deadline in 2018 and how can you check if a business is compliant?
  4. Michalsons – What does the GDPR mean for the POPI Act?
    POPI commencement date or POPI effective date starts the clock
  5. Wikipedia – General Data Protection Regulation
  6. IOL – Protection of Personal Information Act soon to become a reality
  7. ITWeb – Unpacking the POPI Act: The ins and outs of protecting personal information

PBSA upgrades to Relay inserter range

Featured

Relay 3000 & 4000The customer communication firm has just launched a new suite of mail folding and inserting machines that will fit any size business’ needs.

Being a company that believes in moving with the times – and bringing its customers only state-of-the-art technology – PBSA has upgraded its folding and inserting machines to the Relay range from global technology company Pitney Bowes.

The move gives pbOffice – the division of PBSA that provides automation solutions to serve mailing, marketing and communication applications for small and medium-sized enterprises – the ability to better serve its customers by being able to more accurately align machine specifications to specific application needs.

Quieter to operate and more aesthetically pleasing, the new Relay inserter range is more office-friendly. More importantly though, the Relay ranges drives higher performance, increasing productivity and allowing you to focus your time and energy on driving your business.

The Relay range of inserters comes with a number of vital features and scores of benefits. These state-of-the-art machines come with guarantees of:

  1. Data protection for your customers: This is an invaluable benefit, especially given the country’s personal information laws (does the term POPI Act ring any bells?).
  2. More productivity, less wasted time & money: Relay inserters offer a proven, easy-to-use platform that delivers fast, accurate and affordable mail assembly.
  3. 100% Accuracy – every time: The Relay range of inserters was specifically designed to deliver accurate, reliable processing of mail – so you can be confident your mail is not only getting out on time, but the right information is getting to the right customer. Every time.
  4. Ease of use: Even if you’re not technically inclined, you can be up and running with your Relay inserter in no time, ensureing your monthly mail gets out quickly and easily.
  5. Customisation: You shouldn’t have to tailor your mail programmes to the limitations of your equipment. With the Relay range of inserters, you have the ability to process various sizes of letters with the option of processing flat-sized envelopes or mailers.

For more information and model specifications relating to the various machines offered by pbOffice, click on the links below:

For more information on pbOffice products and services call 010 300 4893.

FICA compliance made easy

Featured

SA’s leading data bureau gives businesses the key to pain-free compliance.

Although the Financial Intelligence Centre Act (FICA) came into effect almost a decade and a half ago, it is as relevant today as the day it was conceived.

Instituted in 2003 to curb financial crimes, such as money laundering, tax evasion, and terrorist financing activities, FICA is a law that all financial institutions need to comply with. This includes any business that provides credit facilities in any form – whether assets like houses and cars, or retail items like mobile phone contracts and appliance/clothing accounts – or cash in the form of loans.

FICA basically makes it incumbent on all aforementioned financial services companies to reassess their entire client list, in order to ensure that all clients’ identities and finances can be verified. Think of it as a sweeping credit check of every person in an existing database – it is a means of identifying any individual who could potentially pose a threat to your company.

As with any law governing how businesses handle customer identification and verification processes, and how they manage records, FICA is multifaceted, and comes with severe penalties for businesses that are non-compliant.

Pain-free compliance

But, as daunting as this may sound, it does not need to be – nor does FICA compliance need to be another headache you have to deal with as a credit providing company.

South Africa’s leading data bureau, pbVerify, offers a range of services to make your path as a business striving for FICA compliance as straight as possible.

A division of pbDigital, under Customer Communications firm PBSA, pbVerify is essentially a credit risk management tool for any size business in South Africa that grants credit accounts and payment terms to other businesses and/or to South African consumers.

pbVerify’s online web-based tools help companies assess credit risk by evaluating the credit history of any business and its principles and/or any consumer a company wishes to grant credit terms to. This is done via multiple credit bureaus and other business critical data providers, through one easy-to-use website.

Included in pbVerify’s suite of services, are the following consumer credit check products, which offer your business a painless means of becoming FICA compliant:

Consumer traces for address validation: facilitated by three of South Africa’s main data credit bureaus – XDS, TransUnion and Compuscan – pbVerify’s consumer trace service gives you access to consumers’ latest  contact information.

Bank account verification: pbVerify’s Bank Account Verification Service allows you to efficiently verify the bank details of a consumer, and determine the status of their account – whether the account is currently active, open or closed and whether it has been open for more than three months. The service is available for the 5 major banks in South Africa only.

CIPC Company & Director Verification: pbVerify’s CIPC Company Search Report – one of the most advanced CIPC search tools in South Africa – allows customers to easily retrieve and verify all registration information related to any registered South African business and its principles. Complementing this search too, is the CIPC Director Search Report.

ID Verification: The pbVerify Home Affairs ID Verification tool is used to determine the correct identity information on South African citizens. (This validates the consumer’s identification, but does not confirm whether or not they are credit active)

Alongside this, pbVerify’s ID verification API is used by various corporations, retailers, telecommunications companies, online service providers and system integrators to instantly verify identities for an range of different functions, including customer identification at point of sale, fraud prevention, online transaction verification, customer relations, human resource software and more.

Portfolios feature aids POPI, FICA compliance

doc dSignFlow’s secure multi-document portal, Portfolios, offers businesses a reliable means of complying with stringent regulations.

There are two well-known and much-publicised Acts that make South African businesses shudder in their shoes – the Financial Intelligence Centre Act (FICA) of 2001 and the Protection of Personal Information (POPI) Act of 2013.

The two pieces of legislation have much in common. To begin with, they both have to do with how your business deals with customer identification and verification processes, and how it stores and maintains customer and transactional records. Secondly, there are severe penalties associated with non-compliance – severe enough, in many cases, to cause irreparable reputational and financial damage.

Third of all – and this is the good news – SignFlow can help you comply with both. Our digital signature workflow solution offers you an efficient and sure-fire means of making sure your business processes and IT systems are up to scratch when it comes to compliance with both these Acts – so you need no longer shy away from the dreaded “F-word” and “P-word”.

Portfolios

FICA and POPI compliance largely comes down to how you transmit, maintain and store customer data and, while the sheer volume and variety of data may make the process seem very complicated, SignFlow’s Portfolios feature offers you a surprisingly simple means of tackling it.

A SignFlow Portfolio is basically a portal where you can accumulate multiple documents that have been through a workflow and signed, in combination with documents that are just uploaded and stored.

Because there is no email (which is inherently insecure) involved and all documents are uploaded through a secure, encrypted channel, to an online portal where they can only be accessed by the individuals authorised to access them, Portfolios is an invaluable tool to have in your arsenal when you are striving for FICA and/or POPI compliance.

Let’s take an insurance company, for example:

  • The company requires identification and proof of residence documents (documents required by FICA that both also have a bearing on POPI) from a client.
  • That same client needs to sign a contract, which contains personal and financial information, and send it back to the company.
  • SignFlow Portfolios enables you and your client to upload and share documents (both signed and unsigned) via an encrypted portal.
  • There is no emailing, printing or scanning of documents involved at any stage.
  • All your client’s information is kept neatly in one designated, easy-to-access and searchable databank.

Given that the implementation date for the POPI Act is expected to be set this year – and in light of the FICA failures* we have seen in the past, you are under more pressure than ever before to make sure your business complies. Contact SignFlow today for more information on how we can ease the pressure and give you total peace of mind.

* In April 2014, the South African Reserve Bank fined the country’s four largest banks R125 million collectively for failing to comply with FICA. (www.sanews.gov.za)

PBSA shredders underpin POPI compliance

Featured

shredder-generic-picThe company’s hard drive shredders offer local businesses a sure-fire way of complying with the act’s stringent data protection laws.

This year, the implementation date for the much-publicised Protection of Personal Information (POPI) Act is expected to be announced, and local businesses will have a year from this date to become compliant – or face severe penalties.

Passed into South African law towards the end of 2013, the POPI Act essentially regulates how companies store and secure personal information of individuals and entities. Because the act aligns South Africa with international laws on privacy, it includes some stringent rules that businesses – no matter their size – will need to follow to a T.

Wale Arewa, CEO of Secure IT asset disposal company Xperien, says, although the POPI Act gives companies a grace period of a year from commencement to comply with its requirements, they should make it a top priority now.

“There are serious penalties [for non-compliance with the act]. Besides the possibility of prison terms and fines of up to R10 million, POPI also allows individuals to institute civil claims. This means there is the possibility of further financial loss on top of any fine that may be imposed,” warns Arewa.

Data demolition

One of the POPI Act’s key objectives is to ensure customer data is destroyed sufficiently. According to the act, user data cannot be kept for longer than necessary and will have to be completely destroyed – not merely deleted or superficially disposed of.

This means it is simply not good enough for companies to wipe or format a hard drive, nor is it sufficient to toss it out, regardless of how unlikely it may be that it will be discovered.

The only sure-fire way to destroy data, is to physically shred it – a method vouched for by international business news site Bloomberg, in an article entitled “The right way to destroy sensitive data”.

“Hard drives are fed into a machine that resembles a photocopier, which chews and spits out slivers of scrap metal,” the site explains.

pbOffice, a division of PBSA (formerly Pitney Bowes South Africa), offers a failsafe solution to data destruction with two quality HSM machines – the HSM Powerline HDS230 Hard Drive Shredder and its smaller – but equally effective – counterpart, the HSM HDS150 Hard Drive Shredder.

Both fully data protection compliant, the two hard drive shredders destroy digital media devices in a safe and economical way. These safe and easy-to-use devices shred hard drives into tiny particles – ensuring absolute and irreversible destruction of all data contained on them.

Designed with longevity in mind, both hard drive shredders feature sturdy, solid steel-cutting units and powerful drives. Additionally, because the units feature high throughput capacity and energy-saving continuous operation, they are an intelligent choice for businesses seeking to reduce their carbon footprint.

Visit us today to find out more, or to request a quote.

[REFERENCES]  

Bloomberg.com

Xperien.com