Data protection D-day is here – SA companies take heed

Featured

gdrpGDPR is here, and for organisations that deal with any personal information relating to EU member states, non-compliance will be ruinous.

The countdown has ended. D-day for enforcement of the European Union’s (EU) General Data Protection Regulation (GDPR) is here.

As of today, 25 May 2018, penalties will begin rolling in for organisations that have not yet taken the necessary steps to ensure they are compliant with this restructured – and considerably more stringent – set of data protection regulations.

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection for EU citizens.

But just because the GDPR is an EU regulation, South African organisations are by no means off the hook. On the contrary, experts warn, local companies need to take the GDPR – positioned as one of the most significant changes in data privacy regulation in 20 years – very seriously.

The inescapable fact is, any South African company that handles personal data connected to the EU has to comply with the GDPR, and failure to do so will be met with the same major consequences EU organisations face for non-compliance.

Far-reaching forces

Over recent decades, not only has personal data has become an increasingly important corporate asset that needs to be handled with extreme care, it has also become geographically agnostic. This means that, today more than ever, with the exponential growth of data propagated across borders, organisations globally need to take a staunch and unified approach to guarding it.

South African organisations, big or small, are no different – and the GDPR is not the only government-led product of this hugely digital age, nor will it be the last, it is merely the latest one to be enforced.

Leilani Smit, compliance professional at Smit Compliance (Pty) Ltd, notes that the GDPR applies to any local organisation that holds or processes data on EU citizens, regardless of the location of its head office. “This includes companies that have employees in the EU, sell or market products or services in the EU, or partner with EU organisations.”

Leon van der Merwe, head of digital at customer communication firm PBSA and director of local digital signature and workflow solution SignFlow, adds that any South African entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

World Wide Worx MD, Arthur Goldstuck, says the effects of the GDPR will be far-reaching due to the fact that the EU is SA’s biggest trade partner. “[On top of this], any company that does business with a company that has to comply with GDPR, will also have to comply, to ensure the client is in compliance.”

GDPR vs POPI

Fortunately for SA, details around the country’s own local version of data protection policy – the Protection of Personal Information (POPI) Act – have been highly publicised since 2013, and many companies will already be familiar – some even largely compliant – with what is expected of them in terms of data protection.

Summing up SA’s POPI Act, Michalson’s says: “Essentially, the purpose of [POPI] is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.”

Although – unlike the GDPR – it is still not known when POPI will come into effect, what is known is that companies will have a one-year transitional phase in which to comply once POPI’s implementation date is made public.

Smit says, should a local company already be compliant with international legislation such as GDPR, the implementation of policies to comply with POPI “should be a breeze and not require anything other than normal company practices and procedures”.

Van der Merwe says POPI and GDPR are similar in that both are intended to strengthen the protection of individuals’ personal information and privacy, and it is precisely this element – intention – that is key here, says Goldstuck.

The high price of non-compliance

Another area in which both sets of rules are similar, is in the hefty fines that come with non-compliance.

In a nutshell: breach rules laid out in the POPI Act, and face a R10 million fine and/or a jail sentence; fail to comply with the GDPR’s regulations, and be prepared to be slapped with a fine of up to €20 million (about R290 million) – or 4% of annual sales (whichever is greater).

Smit comments: “In South African terms, POPI already poses strict penalties for non-compliance, however as far as our Rand stretches, the GDPR’s penalties will definitely cause sleepless nights.”

Although possibly the biggest concern for companies, Smit notes that financial implications are not the only implications they should be worried about. “Not only can non-compliance result in fines and penalties set by the legislation itself, but [the] reputational damage of not processing information correctly, can often be more damaging that the initial penalty itself.”

It is this high price of non-compliance IT and legal experts hope will drive South African companies to do the right thing – not only for themselves, but ultimately for their customers – and fervently strive to meet GDPR compliance criteria.

Consumer-centric control

Van der Merwe says it is all about the consumer. “Both GDPR and POPI were ultimately created to protect the consumer’s privacy. We are all someone’s consumer, and even small businesses owners need to think carefully and logically about areas in their business where personal information is processed or stored, and what vulnerabilities may exist in their processes.

“For instance, we all receive CVs that contain heaps of personal and even sensitive information. Often, after a host of interviews, only the person’s CV that is employed, is securely transferred to a digital or physical vault in HR. What happens to the rest of the CVs that did not make it? It is the responsibility of any business to have policies and procedures to timeously and responsibly destroy such information. Simply identifying these vulnerabilities and implementing logical measures to manage them, is a good start for any size business.

“GDPR is a good thing that could be very bad news for companies, if they fail to provide evidentiary and auditable processes and adequate IT security to protect personal data.”

Goldstuck adds that it is not only important, but essential, that South African companies have a global view on data protection. “Something as simple as having a website hosted on an international platform can make a company liable to sanction under GDPR.”

Teaming up with tech

When it comes to local companies complying with the seemingly daunting and complicated GDPR in a relatively pain-free way, experts agree technology will be key. Software systems that offer automation, content management, enterprise resource planning and accounting, among others, will become a lifeline for many companies in their quest to comply.

Van der Merwe says existing paper-based processes and antiquated electronic systems that were created prior to factors such as the GDPR and POPI, pose major risks of contravening their laws and directives. “It is all about how businesses – and governments themselves – are going to align their physical and data processing practices with the new requirements and legislation. New regulations that enforce concepts such as the right to be forgotten pose major challenges if not considered in the process from the outset.”

Goldstuck says, while the data protection laws necessitate considerable changes in the ways businesses operate and interact with customers, good compliance systems will provide most of the safeguards they need.

“Businesses will have to get permission for almost every interaction with customers, they will have to become more discerning in what information they require from customers, and they will have to institute strict compliance systems to ensure they do not fall foul of these laws. As a result, compliance officers, CIOs and CTOs will have more direct roles to play in customer strategy.”

Don’t delay

Although not yet enforceable, the commencement date for POPI has been looming large on the horizon for some time now, with many expecting it by the end of 2018.

Despite this, say experts, many organisations are far from being ready. Goldstuck says: “Most large businesses have geared themselves up to comply with POPI, although many have not put this gearing up into effect. However, there is also an impression that many companies are simply not bothering until they are forced.”

Forrester’s 2018 predictions indicate that a whopping 80% of firms will not comply with GDPR regulations by May this year.

This has to change – and fast – says Smit. “Businesses can no longer just take a backseat and hope this will pass by or fly over.  Active steps will have to be taken in an organisation, for instance staff training, risk assessments and creating an ethical culture within an organisation, specifically with regards to processing personal information.”

 

 

[REFERENCES]

  1. EUR-Lex – Access to European Law
  2. org – Web learning resources for the EU General Data Protection Regulation
  3. Government Gazette (justice.gov.za) – Act No. 4 of 2013: Protection of Personal Information Act, 2013
  4. Michalson’s – POPI Act Summary in Plain Language
  5. Forrester – Predictions 2018: A Year of Reckoning

Making sense of a digital web of data

eepublishersPosted by EE Publishers on 23 February 2016

There is a myriad of digital data being generated on a daily basis, with bring your own device (BYOD), social media and the internet of things (IoT) becoming increasingly prolific as internet users progress in what is referred to by local research firm World Wide Worx as the “digital participation curve”.

For companies, making sense of it can be a headache, not to mention a major drain on resources. What follows are some of the challenges – and possible solutions – around security issues that should be top of mind in today’s business environment.

It has been a constant battle for the past two decades to ensure a secure internet and, although massive advancements have been made, the internet is still not 100% secure. As we start connecting hardware devices that control things like domestic and business security systems, smart devices, personal fitness devices, tracking devices and electrical appliances – to name a few – the situation will only become more complex.

The hardware appliance is the weakest link – no matter what it is – so the hardware device needs to be built to accommodate security features like encryption, multi-factor authentication and password strength validation.

BYOD boom

While BYOD indisputably brings with it a number of benefits for companies, it also comes with its fair share of security concerns. Organisations that permit BYOD can benefit from a reduced investment in hardware and enable employees to be more mobile and have 24/7 access to network resources.

On the flip side, the possibility of jeopardising company data is a reality that cannot be overlooked. This can be caused by lost or stolen devices, insecure applications, unauthorised access by non-employees and the fact that devices can connect to company networks over insecure wireless networks.

Interlinked with BYOD is IoT – a relatively new phenomenon bringing with it similar challenges. Although IoT is not a mainstream reality in South Africa as yet, it is said to be rapidly heading that way. IoT will become a reality in South Africa without doubt. Every time our devices become smarter and faster, we move forward towards a fully connected IoT.

While growth offers a lot of opportunities, IoT, in essence, is still not mature, or secure. Adding millions of new devices, billions of lines of code, along with more network infrastructure to cope with the load, will create a new set of challenges, probably far exceeding those of the past two decades.

Despite this, it is believed that local businesses do not take security seriously enough. Even though larger, more security-conscious organisations like banks take security very seriously, they do not necessarily align their security strategies to accommodate for future demands or what the impact of their security strategy has on customer experience. So-called midstream businesses in South Africa generally have very poorly managed security policies, if any.

IAM solution

In both instances of BYOD and IoT, security is key, but this does not mean that businesses need to have specialised security needs.

One of the products in PBSA’s software division, pbDigital, advocates is identity and access management (IAM). IAM outsources all required security requirements to run on the latest international identity and access management on one centralised solution.

IAM is a customer-centric identity and access management solution that empowers users to manage their own identities, enabling the organisation to reduce customer care costs by automating the identity processes.

IAM improves customer convenience with verified social identities and provides strong, multi-factor authentication for business-critical transactions. In other words, IAM takes care of centrally managing the identities of online users, eliminating the need for organisations to spend time and recourses on manually managing user access to their networks.

This is one of the means that companies can use to address the security challenges they face amid the burgeoning of data-intensive phenomena like BYOD and IoT. IAM is designed to centrally manage hundreds of thousands – even millions – of identities, devices and their associated access to multiple networks, which is simply not doable with physical customer service or manually managed security.

IAM involves linking the correct person (device owner) to the device. The second application is managing the access rights the device has to one or more networks, and the third is encrypting the channels of communication between the device and the various networks. All of these instances are centrally managed by IAM.

IAM is one of a range of solutions companies can employ to protect their digital empire, says Van der Merwe, and security can not be ignored by companies operating in today’s digital world.

Weak security when it comes to BYOD and IoT in the workplace will affect the confidence of consumers and organisations. This, in turn, will slow the process down until strong security is adapted and users and organisations can enjoy the benefits of IoT confidently and securely.

Contact Leon van der Merwe, PBSA: leon@pbsa.co.za / Tel: 011 516 9459