Earlier this year, Liberty Life became one of the first global firms to suffer a major breach under General Data Protection Regulation (GDPR) – forcing its Chief Executive Officer (CEO) onto television to limit the reputational damage. However, more recently, British Airways announced that nearly 400000 customers had had their credit card details stolen due to a sophisticated attack against their online booking platform. Leaving many clients unhappy and vulnerable to fraud. South African multinationals doing business in both the European Union (EU) and South Africa, as a result, have to start complying and prioritising the compliance of both GDPR and the Protection of Personal Information (PoPI) Act.
Privacy and ethics a major trend for 2019
Many organisations in South Africa have posed the question: Why should we be GDPR compliant if we are located in South Africa and not the EU? Well, GDPR applies to any organisation holding the data of European citizens and has a worldwide applicability. This is why Gartner has identified data privacy and ethics as one of the top technology trends for 2019.
In addition to GDPR, South African firms must also comply with PoPI Act – which shares many characteristics with GDPR but extends to protect the personal data of any South African legal entity. However, those organisations that do business elsewhere in Africa are finding that many of its fellow African countries have their own variations of data protection regulations that must be supported as well.
If you are non-compliant – consumers will vote with their feet
Privacy is not simply a compliance or legal problem. Companies like Target have experienced consumer backlash based on overzealous use of analytics outcomes and data breaches – long before GDPR, while Liberty’s share price lost 5% almost overnight following its breach.
Consumers are becoming increasingly militant about how their data is used, and protected, and are willing to vote with their feet by moving to service providers that seem to take their needs and rights more seriously. Companies therefore need to define their ethical position with respect to the use of data and ensure that this position is reflected in their policies.
Who is responsible?
The complexity of data management in modern businesses is tremendous. It is tempting to assume that data privacy and protection is a legal problem – assigning it to the Compliance team, or to appoint a Chief Information Security Officer (CISO) and make data privacy his or her problem. Yet, the reality is that data privacy is an all-encompassing challenge that goes well beyond the legal and security implications.
Organisations should realise that everybody that works with data is responsible for data privacy – with ultimate accountability lying with the board.
As a result, companies need to have clearly defined data policies, assign clear accountability (ownership) and ensure that they understand where personal data is stored, what it is being used for, and whether this is in line with the acceptable use policy.
Data governance is key
Data governance brings order to the complexity of modern business. Data governance is not about managing data – it is about governing behaviour. Accelerators, like Collibra GDPR accelerator, allow organisations to leverage best practise approaches and processes to govern the use of personal data in the business environment – with immediate alignment to GDPR and PoPI Act requirements.The organisations legal and compliance team can quickly assess the relevance of our accelerator to the businesses environment, and tweak it to ensure that your organisations risk is managed. Organisations Data governance is the critical discipline that enables GDPR compliance.
By Gary Allemann, Managing Director at Master Data Management