The Protection of Personal Information (POPI) Act, which came into force on 1 July this year, has compelled organisations to take a closer look at their data management in terms of how it is stored, what data is stored, and for how long this data must be stored.
Essentially, this is the impact that the POPI Act has had on businesses from an information management perspective. While local organisations have been aware of POPI Act compliance requirements for a number of years, it has not really been a major talking point within organisations until now, purely because it has now become enforceable.
The Act has also pushed organisations towards more effective data backup and recovery, with businesses putting controls in place to manage the content and time period for which they must, or can, keep their data.
In the past, organisations often deemed all their data to be important and would thus keep all this information indefinitely, but the Act stipulates that specific data must be kept for a defined period, specifically in terms of data that falls within the Personally Identifiable Information (PII) component of the Act.
More than backup and recovery
POPI Act compliance does however extend beyond just data backup and recovery. Organisations need to conduct a business impact assessment to ensure that, in the event of data loss, they are able to restore the required data, or face financial penalties and loss of reputation if failing to do so. It would be fair to describe data backup and recovery as a company’s insurance policy on their data.
What the PII component of the POPI Act has brought to light is that not only is it important to be aware of what data organisations are backing up, but that they also need to know what data they are creating, generating, and protecting in their environment. From this perspective it goes beyond backup and recovery because we will eventually reach a point where companies will have to prove that they can report on sensitive data, as well as potentially destroy this data in their various environments.
No evidence of compliance
An organisation can be negatively impacted if customer information is not properly protected during a backup. If the data is not protected and is destroyed, the company has no way of proving to a customer, in terms of the POPI Act, that their data has been appropriately disposed of. Although the data might not be available, there would be no evidence of its destruction and that would then be a breach of the Act.
At the same time, it is quite a challenging task for any organisation to gain an effective understanding of their organisational data, or to report on what data is sensitive from a POPI Act perspective. An organisation would either need to understand the nuts and bolts of every single IT application that generates data, or they would need a tool to scour their environment and do data discovery for PII.
Fortunately, tools are being released that give organisations the ability to discover data and draw up a dashboard to see where their data is geographically located if the organisation has different geographic locations. These tools can highlight any sensitive data or PII and are able to inform the organisation what should be done with them.
POPI Act compliance can be a very daunting task, but at least we have the advantage of learning lessons from other countries that have been through the process to comply with the requirements of the European Union’s General Data Protection Regulation (GDPR). Furthermore, a data management solution can significantly simplify the complexities that go hand-in-hand with the onerous exercise of compliance.
Find out more about how you achieve continuous data compliance and secure data for your organisation or that of your customers by contacting
Data Management Professionals South Africa
Tel +27 (0)11 655 7130
email: sales@dm-p.co.za
website: www.dm-p.co.za
Other useful links:
Compliance as a Service
Prevent Penalties and Keep your data out of the wrong hands