South African businesses are busily preparing for the implementation of the Protection of Personal Information (PoPI) Act, undergoing audits and testing compliancy. This is a large task on its own, however many organisations are simultaneously busy with complying to the Payment Card Industry Data Security Standard (PCI DSS), making for an even more complex and onerous process.
PoPI compliancy is something that organisations can ill-afford to procrastinate on. The consequences of non-compliance are severe, and businesses should already be embroiled in their compliancy process. The larger the organisation, the more time it will take and the earlier they need to start. In fact, it’s safe to say that businesses, especially medium-to-large size corporates, who have not yet begun the compliancy journey are already on the back foot, and need to take measures to accelerate this process immediately.
While PoPI and PCI DSS are two different regulations, or standards, both relate to the protection of sensitive information. PCI DSS pertains specifically to the protection of financial information for card transacting, while PoPI takes a broader view, pertaining to the protection of all sensitive customer information across the entire transaction chain.
PCI DSS, however, is a well-entrenched standard, with established best practices in place, and tried-and-trusted implementation processes. Those organisations who are embarking on, or already busy with PoPI compliance projects could greatly benefit from using PCI DSS as a template for their PoPI journey.
Although PoPI is quite specific around its requirements, it is not clear on the best practices that organisations need to put in place in order to comply. “Best practice” is already a rather vague concept, as it is dependent on perspective – a best practice for one organisation may not necessarily be the best practice for another. PCI-DSS, however, already has a clearly defined set of mature controls and processes which can be applied to protect credit card data.
These controls and practices work just as well on a larger scale than purely the protection of financial information – they can be successfully applied to PoPI requirements and serve as a tool for step-by-step compliancy validation.
Organisations who are busy with both PoPI and PCI DSS compliancy audits would do well to start off with PCI DSS. This gives them a manageable starting point, as well as acting as a trial run, then template for PoPI. Businesses can leverage the freely available tools to guide them through the process, and take lessons from what works, or doesn’t. These lessons and tools serve to provide additional guidance when businesses begin the larger task of PoPI compliance checks.
Even organisations who do not need to comply with PCI DSS can use is as a guideline to kick off their PoPI compliance journey. It’s a matter of changing the scope, and starting small. The key with both is to take a ‘bite size’ approach using standards and processes that work, rather than embarking on the journey all at once, with a trial-and-error approach and no clearly defined starting point.
Because PCI DSS is already a mature standard, with mature controls about what is or isn’t acceptable, it allows organisations to clearly plot and track the progress through measurable steps. It enables the ability to measure milestones – which is critical for the monitoring of success.
Starting smaller means organisations can implement quicker on a specific portion of the business and, once the process is running efficiently and working, apply the same principles to the next portion of the business. Whether organisations adopt a milestone approach, or tackle both compliances as a single project, defined measurables are required, and PCI DSS assists with this.
Beyond looking to PCI DSS for guidance and step-by-step approaches on how to comply with data protection requirements, businesses can also take advantage of workshops and supporting services offered by specialised data protection and compliancy assessment partners. Together, these two resources can ensure that organisations – even the late starters – reduce their risk for non-compliancy, and are ready when PoPI becomes enforced.
By Simeon Tassev, Managing Director and QSA at Galix Networking