Loading...

How ready are you to manage a data breach?

Dec 14 2017 06:00
Gary Allemann

LAST month saw the uncovering of South Africa's largest data leak to date, which revealed that the personal data records of over 60 million individuals have been made publicly available, placing them at risk of identity theft and other cyber related crimes.

This has awakened a renewed interest in the looming enforcement of the Protection of Personal Information Act (PoPI).

Had PoPI already been in play, the organisation responsible for the data leak, Jigsaw Holdings, would have to be held accountable not only for its failure to act in a manner that proves its dedication to protecting personal information, but also for its failure to notify the incumbents suitably and in time

While many organisations have viewed PoPI as a necessary evil, the benefits of compliance - and underpinning data governance structures - are quickly being realised.

Yet one of the biggest mistakes that organisations make when it comes to PoPI compliance is thinking that it exists primarily to protect data from external attacks.

Many companies assume that because they have the necessary data security measures in place, they are covered. Data security, however, is only one of the components of PoPI compliance and, if a breach does occur, the organisation still carries a considerable responsibility towards the remaining seven components.

This begs the question: how ready are South African organisations to manage a data breach, should one occur?
 

PoPI and the governance link

The PoPI Act was promulgated in 2013, and requires companies to take - and be able to prove - adequate precautions against data loss. It signals a shift in how organisations think about data privacy, moving the focus away from the actual data towards the fundamental rights of the data subjects themselves.

PoPI requires that organisations put processes in place to ensure that personal data is used only for the purpose for which it was intended, that it is protected from unauthorised access, and that there is accountability. This accountability requires that organisations take the necessary steps to notify both the rRegulator and the data subject in the event of a breach - something that failed to happen with the recent mass data leak.
 
Most importantly, PoPI requires that sound data governance principles are proven to have been in place throughout the life cycle of personal data. A data governance policy which ties into the eight pillars of PoPI will not only serve to reduce the risk of breach but will also ensure that, in the event of a breach, the organisation is able to protect itself and minimise the repercussions.
 

The requirements

PoPI outlines eight components, or pillars, for compliance. They are as follows:

1.  Accountability - ensuring that the organisation is responsible for the manner in which it processes personal data, and manages breaches.
2.  Processing Limitations - outlines the limitations that an organisation needs to work within, in order to process personal data.
3.  Purpose Specification - defines that personal data may only be retained and used for specific purposes.
4.  Further Processing Limitation - detailing the requirements for additional use of personal data beyond its original purpose.
5.  Information Quality - outlining the requirements for data quality.
6.  Openness - explains the level of transparency required with regards to processing, use, storage and possible breach of an individual’s personal data.
7.  Security Safeguards - defining what security measures and proofs are required to protect personal information, including access authorisation and notification of security compromises.
8.  Data Subject Participation - outlining the parameters for the organisation’s interaction with the data subject in terms of access, data correction and use of their data.
 

These components are all manageable under a proper data governance policy, which exists to guide an organisation on how to best access, manage, store and use personal data as well as who may do so.

Simply put, if everyone in an organisation knows their own role and limitations with regards to the handling of personal data, and is following proper governance structures, the risk of breach is dramatically reduced.

Setting up a data governance strategy

Data governance comprises three parts: policy, implementation (echoing the PoPI Act’s requirement), and education. The policy outlines an organisation’s responsibility towards personal - and other - data, including who may access and use what data, and how.

The implementation governs the delivery of proper measures to, for example, secure the data, incorporating both data security tools and the processes that organisations follow to secure data. Implementation must also define the process that will be followed in the event of a breach.

Education, however, may the most important aspect of data governance. This requires clearly communicating to everyone within (and even outside of) an organisation their responsibilities with respect of (and other) personal data, what they have to do to ensure proper use and security, and what the ramifications of non-compliance are. 

Creating, defining and implementing a data governance policy that complies with PoPI Act (and GDPR, if required to do business in Europe) is an ongoing exercise, particularly where large quantities of data are involved.

However, it can be achieved with the help of specialised organisations who are able to understand your business, the risks involved and how to define, or redefine, the processes and mechanisms that enable a sound data governance policy - one which will ensure your business is prepared in the event of a data breach.

  • Gary Allemann is managing director at Master Data Management. Views expressed are his own.

* Sign up to Fin24's top news in your inbox: SUBSCRIBE TO FIN24 NEWSLETTER

Follow Fin24 on Twitter, Facebook, Google+ and Pinterest. 24.com encourages commentary submitted via MyNews24. Contributions of 200 words or more will be considered for publication.

data breach  |  cybercrime
NEXT ON FIN24X

 
 
 
 

Company Snapshot

Money Clinic

Money Clinic
Do you have a question about your finances? We'll get an expert opinion.
Click here...

Voting Booth

Are you prepared for the latest round of Eskom’s load shedding??

Previous results · Suggest a vote

Loading...