South Africa has a historical culture of non-disclosure and cover-ups when it comes to data loss and data breaches – but, the Protection of Personal Information (POPI) Act will force much greater transparency.
The Act establishes eight data protection principles or conditions, one of which is that responsible parties must take appropriate measures to prevent loss of data, or unauthorised access to data. Then if there are reasonable grounds to believe that someone who is not authorised has accessed or acquired your data, you must notify both the regulator and the data subject.
For example, imagine someone leaves an unencrypted flash drive or laptop in their car and it is stolen. If there was any kind of data on that drive or laptop that is covered by POPI, there is a clear obligation to report. The penalties for non-disclosure can go up to R10m.
The legislation means the end of attempts to keep data breaches and data losses under the radar. A lot of companies prefer to deal with things quietly, and in some the culture of the cover-up is so strong that the Board would rather not discuss an issue, or even get a report, to avoid putting their awareness of a problem on record. But that is no longer an option.
Warren Olivier, the regional manager for Southern Africa for Veeam Software, also says the issue highlights the need for boards to put data availability high on the agenda. Data availability is not a box to tick; it has real commercial consequences. A company which fails to meet the requirements of the Act may find itself liable for damages. On the other hand, steps that companies take to comply with the POPI requirements will also go a long way to ensure business continuity.
Olivier says POPI may encourage more businesses to keep sensitive data in the cloud: Losing unencrypted data stored on a flash drive or laptop is a worst-case scenario. Maintaining a single storage location in the cloud, with appropriate encryption, helps to ensure that there are no unauthorised or forgotten copies of your data out in the world.
In addition, he says, if there is ever a need to remotely erase a lost device because it contained sensitive data, there had better be another copy – and that copy had better work. All backups must be verified to ensure guaranteed recovery of data and constant availability.
By Jos Floor of Floor Swart attorneys