It’s only a matter of time before the Protection of Personal Information Act (POPI) becomes the next compliance issue for local businesses. Major data breaches are now a part of daily news and there’s little doubt this will place a spotlight on data protection legislation.
While we still don’t know exactly when POPI will come into effect, we do know that companies will have just a year to comply once the commencement date is announced.
This is concerning, particularly when one considers how few companies were quick to comply with the General Data Protection Regulation (GDPR). We know, for instance, that just four months before the GDPR came into effect, only 35% of South African companies were working on a plan to comply with the GDPR.
Compliance is an increasingly tall order
It’s no surprise that businesses are battling to meet data compliance standards.
The volume of data they’re required to store and manage keeps increasing exponentially. In fact, the IDC estimates that by 2025, the world will create and replicate 163ZB of data – a tenfold increase on the amount of data created in 2016.
Added to this challenge is the growing number of complex data types. More and more unstructured data is being generated through platforms like social media, instant messaging, text, voice and video. The problem is that businesses simply don’t have the relevant technology to track, report and mine these data types.
Across the world, regulations are also evolving, making it even more difficult to be compliant, especially for global companies. The GDPR is a perfect example of this.
Establish the risks
Before your business can develop a policy framework, it first needs to have several important pillars in place.
This begins with assessing your business maturity in relation to information governance. It involves assessing your critical information assets and determining which hold the greatest risk as well as how those information assets are managed and stored. The kind of questions your business needs to answer include: What kind of information does it hold? Where does it store its information? Is this information stored electronically or manually? For how long is this information stored?
Because your business has many different types of content, it’s naturally exposed to a wide range of different risks. As such, conducting a thorough content audit will help you determine your business’ vulnerability to risk. After you have conducted a content discovery exercise, your content audit should answer questions such as – which documents need to be preserved in secure archives?
Understand your legal obligations
The next step is to undertake a regulatory compliance review. It’s important to understand the legal obligations specific to your company when formulating a data governance programme. For example, often a business’ compliance requirements are dependent on its number of employees or its industry.
Multinational companies in particular are impacted by thousands of different regulations, needing to comply with everything from data protection legislation to local tax laws. It’s therefore hardly any wonder regulatory pressures are increasingly top of mind for many business executives.
Put together a core team
Before you can implement a data governance framework, you also need to establish an information governance team, ensuring the team includes representatives from across the business. It’s particularly important to involve senior representatives from areas of the business like compliance, security, legal and risk.
This core team will then be responsible for the implementation and success of the governance programme, driving various operational issues. This includes the development of a work schedule, creation of policy and strategy, as well as communication around and implementation of the solution.
Tech will get your policy off the ground
Once you’ve identified the weaknesses in your company’s data governance processes, you can start to develop a plan to mitigate these risks.
The use of technology to establish, automate and enforce the resulting policies will prove critical. Ultimately the right technology can greatly help reduce the burden of long-term data protection, preservation, management, and compliance with business and regulatory requirements. It can also help to deduplicate or compress the data, enabling it to be transferred to more cost-effective storage media.
And once you’ve established trust in your data, you can begin to foster innovation and growth.
By employing data, IoT and analytics services, your business can begin to optimise its data and leverage it to achieve particular objectives.
But even more importantly, when new regulations like POPI do come into effect, your business will be ready.
By Cleo Becker – Senior Regional Counsel, Emerging Markets, the Nordics & Israel at Hitachi Vantara