News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

Why POPI compliance is not just an IT issue

South Africa's Protection of Personal Information (POPI) Act, set to commence in July 2021, is modelled on the General Data Protection Regulation (GDPR), and it affects all businesses. GDPR has become a global standard in protecting end-users from the unlawful use or dissemination of their personal information since its inception in 2018.
Johan Scheepers | image supplied
Johan Scheepers | image supplied

While many organisations believe that POPI compliance will not affect them, or that it is just an IT problem, this is a short-sighted attitude that could see them falling foul of the law. Compliance requires business and IT to work together to manage data effectively, which at the same time provides a number of business benefits.

The buck does not stop with IT

POPI is an umbrella data protection law that governs how businesses need to handle data, more extensively than the various silos of rules that have existed to date.

In the information economy, protecting data is of the utmost importance, not only for compliance purposes but also to safeguard businesses themselves. And while IT plays an important role in data management and therefore in compliance, technology is not a magic wand that organisations can wave to become compliant.

Technology is an enabler to assist businesses with finding, classifying and managing sensitive information. However, as we have moved more into remote working, with businesses deploying a variety of collaboration tools, data has become increasingly segmented.

IT can assist by providing the tools and security to prevent unlawful access to data, but it is the responsibility of the business as a whole to apply the principles of POPI. If processes and governance, both business issues, are not put into place around the data, technology will fail. In addition, POPI law will pursue business owners, not the IT department, should a breach of compliance occur.

No checklist for compliance

POPIA presents businesses with a twofold problem: What information is given to us, and how do we protect it. The challenge is that there is no checklist that organisations can apply to ensure compliance. POPI is made up of a number of guiding principles that can be interpreted in different ways, including information security, data subject participation, and importantly the right to be forgotten. This is why governance is critical.

Data governance needs to become an integral part of business. This means being part of a cycle of continuous improvement so that businesses can not only claim compliance but prove that they have taken all reasonable steps to comply.

In terms of IT security standards, some best practices include making appropriate provisions to encrypt data stored off-premises, and ensuring access to information is strictly controlled and is appropriate. The reality is that there is no such thing as being 100% secure, but there are mitigating steps that can and must be taken to safeguard data.

Protecting personal information is in everyone’s best interest

Compliance and governance are not once-off exercises; there is no end goal or destination. They are changes in business process and practice that must constantly evolve to meet the changing threat and regulatory landscape.

However, neither is compliance bureaucracy for the sake of legislating. Protecting personal information means stopping this information from falling into the wrong hands where it could be used for malicious purposes. At the end of the day, these laws are there to help us all, because we are all consumers.

IT and business need to work together to ensure that business processes and governance are in place to protect data. They also need to ensure access is appropriate and importantly to manage the various silos of data that exist.

If businesses do not know what data they have or where it is stored, they cannot hope to protect it effectively. Data management, data governance and visibility into data are the cornerstones of POPI compliance.

About Johan Scheepers

Johan Scheepers is Commvault systems engineering director for MESAT
    Let's do Biz