Jasco. Inspire. Innovate.

Press Releases

Brainstorm Topic: Risk and Compliance in the Age of POPI

01 May 2017

The Protection of Personal Information (PoPI) Act has been a topic of interest for some time and businesses and the general public alike pondered when it would be in effect, how long it would take to be relevant and who would oversee the process as Information Regulator. The appointment of Pansy Tlakula as South Africa’s Information Regulator in December 2016, however, means that the time for discussion is over and the time for action has come, writes Cedric Boltman, Executive: Channel at Jasco Enterprise.

For the general public, it is a time of excitement and promise, as people are handed back control and ownership of their own information and how it is used. However, for businesses who collect, use, disseminate or otherwise hold any information about their customers, employees and suppliers – and, let’s face it, this is the case for most businesses today – it is a time of complete re-evaluation of their data control and privacy policies as they scramble to ensure they are compliant and protected from risk.

1.     What are the biggest implications of PoPI, especially from a risk and compliance perspective?

The main goal behind PoPI is to protect personal information from being re-sold and potentially cause inconvenience, damage, loss or fraud related to the resale and use of that information by various commercial institutions. It’s clear that PoPI impacts any personal information that is being gathered by companies, whether it’s information on employees and suppliers and prescribes the manner in which that information should be stored, what care should be taken in dealing with that information, and stipulates when that information has to be purged. In the IT industry, particularly the contact centre environment, a lot of this type of personal information is gathered daily. The challenge with PoPI will be that big corporates with contact centres – like insurance companies and financial institutions -- will need to adapt their current systems in order to meet the requirements of PoPI and to be able to prove compliance when auditors come knocking.

2.     How will PoPI provide an opportunity to remove the pain points customers experience during interactions with a business?

One of the objectives of PoPI is to remove the pain of unsolicited interactions consumers experience with businesses. In an age where this type of information is being gathered and rampantly abused all over the globe, it’s a means to prevent that painful experience customers have when their personal information is re-used or sold to a business without their express consent, right down to prohibiting the annoyingly common cold calls and unsolicited spam SMS messages. Behind this legislation is the notion that consumers need to be protected so that they can have peace of mind that their information is not being re-used in a way that could result in loss, inconvenience, fraud or damage. It’s also an opportunity for businesses to ensure that they have the correct, relevant information on their customers as it relates to their core business functionality which saves customers the inconvenience that could be caused by incorrect personal data.

3.     What are the unforeseen IT challenges that arise as organisations are tasked with becoming PoPI-compliant?

A clear understanding of which positions/functions within their business require access to specific information will be needed with regards to core business information repositories and storage. Companies are going to have to do a lot of coding and planning in order to work toward compliance to ensure only the appropriate users have access to certain information. Although a lot of systems have that functionality built in, programming each user and assigning their necessary rights will be tricky.

Another hurdle is raised by the issue of locality, and in this case, we see that there are different forms of PoPI being implemented all over the globe. While all countries are essentially protecting personal information, they’re doing it in different ways and their timing, deadlines and urgency might not necessarily be the same as ours. Where companies are reselling, for example, North American OEM technology, it still remains to be seen whether those systems could be or will be adapted in time for us to meet with the PoPI deadlines. Given these circumstances, we might have unique situations in our systems when compared to the legislative requirements of other localities that potentially could limit the type of systems and features we need to comply with PoPI, which could be an impediment or a risk for the business. Impacting this is the uptake of Software as a Service (SaaS) by South African companies that is hosted in foreign countries, creating the same challenge where they may not be aligned with South African deadlines and specific compliance requirements that perhaps differ from their versions of PoPI.

4.     Legislation is likely to be signed off in the latter half of 2017. Companies will then have a grace period of one year to become compliant. What do you think are the first steps businesses should take to ensure they comply?

The first thing to do from a risk perspective is to conduct an audit of all the organisation’s systems to understand what data is held and to examine where the gaps are. Once this is done, it needs to be decided what measures will be needed, whether interim or long-term, and then to put these in place accordingly. The second step is to make sure that a full assessment of all internal systems users has been conducted to ascertain what profiles need to be added, and to identify which areas users should be able to access or not access. It’s important to make sure user management measures are in place and implemented properly throughout the organisation. If this is not managed properly it can become a bit chaotic over time. The third step is to ensure there are proper policies and procedures in place for the dissemination of any information into and out of the company. When considering the prospects presented by the processes of PoPI compliance, companies that play in the technology space will have the opportunity to target protective technology and should make the most of the chance to extend their consulting expertise and services to companies to help them adapt their systems to comply with PoPI in the long term.

5.     How do trends such as IoT, BYOD and cloud, coupled with increases in cybercrime and security concerns, increase risks and make achieving PoPI compliance more complex?

There are two aspects here that will impact PoPI compliance. Having already highlighted the measures a company needs to take with regards to the management of existing information, it needs to be pointed out that BYOD and IoT environment will also be influenced by PoPI.  Companies are becoming more lenient in allowing workers to bring their own devices into the workplace because they become more productive and efficient.

In response, organisations have started introducing device management and investigating the effectiveness of measures like DPI – deep packet inspection type protocols - which companies are now running. What this means is that a profile is set up and user must log in with a username and password, even on his own device. As long as that user is on the corporate network, essentially, he allows the company itself to shut down functionality on his device and, for example, any apps not deemed business-related could be blocked, along with preventing any information/data prevented from being transferred. As soon as the individual leaves the corporate network, those policies are no longer enforced and he can go back to personal use of his device. There are a number of ways to handle this BYOD situation, and the first is probably the best. This involves actually having separate user profiles. For example, Enterprise Mobility Management (EMM) Apps may be deployed across multiple mobile OS’s including iOS, Android and Windows Mobile, with Samsung coming equipped with Knox, which require users to log into a separate profile when on the corporate network and ensures that they cannot share any information between that repository and the repository existing on their device. When they leave the network, that information stays behind - it’s almost like logging into a hot desk, but for devices. Companies need to start employing these sorts of measures otherwise information is only as secure as their first connection point.

Taking a step back, the impact of IoT and BYOD effectively means that we are able to gather more information that is more comprehensive and offers richer detail on an individual. Personal information previously referred to capturing name and address, but now we can gather information about OS, device, location preferences, home contents and the like. The detail of available information is quite scary, and with that in mind, the key question with compliance becomes: does your organisation have the systems in place to treat that info with the utmost care, as outlined in PoPI? Right now, the answer is that no one has it entirely solved.