Home
  • >
  • Opinion
  • >
  • Is there more to PoPI compliance than just backup and recovery?
Read time: 3 minutes

Is there more to PoPI compliance than just backup and recovery?

By , ITWeb
04 Apr 2018

Is there more to PoPI compliance than just backup and recovery?

Never before have South African businesses been more aware of the need to properly protect and store their data, under the looming enforcement of the Protection of Personal Information (PoPI) Act. Organisations are striving to establish effective back up, storage and recovery practices to avoid the strict penalties promised for non-compliance. However, data is expansive, diverse and complex, and proper recovery and backup is not the only requirements for compliance.

Data is everywhere. In businesses, data - both structured and unstructured - resides in many locations, from servers and databases to laptops and even mobile devices. Organisations will struggle to ensure their data is properly protected, and thus be compliant, if they do not know exactly where their data is, at any given time.

What does non-compliance mean?

PoPI has introduced a number of penalties for non-compliance. Serious offences could result in fines of up to R10 million for the business, and/or imprisonment for up to ten years for the business owner(s), manager(s) and response parties. Lesser fines and prison sentences await those who are found guilty of lesser offences, such as impeding a compliance investigation.

However, the regulations laid out by PoPI also make good business sense, and there are unwritten consequences for failing to adequately protect the data of anyone in contact with your business. People do business with trustworthy organisations. If a business is found to be non-compliant, its reputation becomes tarnished and people are less likely to want to do any business with them.

To be compliant, businesses need to have the right data management tools in place - tools which will not be effective if the business cannot identify what data it has, or where it resides. Beyond negatively affecting a data management strategy, not understanding one's data also hampers any potential cloud initiatives, putting digital migration effectively on hold. If the organisation doesn't fully understand what data they have within the business itself, moving their data to the cloud, and managing it there, will prove challenging.

Much of PoPI is centred around security and ensuring that personal information is well protected. Securing data becomes much more complex if an organisation cannot establish the whereabouts of their data.

A business may have a sound data security policy, however, it is susceptible to loopholes where company data is stored on unprotected devices without the business's knowledge. This opens them up to the risks of uncontrolled data leaks, breaches and losses.

Know your data

It's not enough for organisations to simply collect and store all of their data, no matter how securely. Larger organisations have multiple data spools spread across various platforms, backups and archiving systems, few of which are integrated and able to communicate with each other. This many disparate data pools makes it challenging to understand what data they have.

Businesses need a single, centralised, technology agnostic data management tool, through which all company data must pass. This enables data to be properly classified and indexed, making it searchable and therefore, more easily understood. It also makes it easier to know what data needs to be stored, for how long and where, and allows the business to determine the safety measures required on end-point devices, should they elect to retain data at these points.

When a business understands what data they have, the benefits extend beyond PoPI compliance. Additional tools, such as artificial intelligence (AI) and machine learning, can be applied to the data to provide business insights, to enable better decision making, improved customer service and even define new product sets. Businesses can look to the cost cutting benefits offered by cloud storage solutions with the peace of mind that comes with understanding their data and data needs.

From a disaster recovery perspective, businesses are also able to recover much faster when they understand their data. Classifying data puts an organisation into a position to understand what data is critical to which areas of business, and to build policies around their different types of data. This allows them to know which data needs to be prioritised in times of disaster. It also enables a part of PoPI compliance, as the business can more quickly identify which data has been compromised and notify all parties accordingly.

PoPI is going to demand compliance with rules that set boundaries as to what may be done with personal information and how securely it is stored. With a central platform that touches all inbound and outbound data, it won't matter where the data is stored. The tool will enable the organisation to understand their data better, apply the right rules based on data type across all locations and ensure that the data is protected wherever it resides.

Should organisations decide to embark on the journey to the cloud, there is one key consideration they should keep in mind: they need to select a cloud provider that is PoPI compliant and capable of implementing the same rules around their data that they would.

Regardless of whether their data resides in the cloud, in the business's own on-premise servers, across various backup platforms, or employee devices, having a centralised management system helps businesses to truly understand their data, and reap the best value from it while remaining compliant at every turn.

* By Nick Wonfor, Enterprise Account Manager at Commvault for South Africa.

Daily newsletter