By Gary Allemann, MD at Master Data Management
Data management and protection can be a complex task, and a ‘one size fits all’ approach cannot be applied for every organisation. With volumes of data increasing at an alarming rate, having a clear, well-defined data management and protection plan should be a top priority for organisations. This is especially true given the severe data protection standards that have been put in place around the world to ensure the security of personal data. The Protection of Personal Information Act (PoPIA) in South Africa and the General Data Protection Regulation (GDPR) in Europe are among the most stringent, imposing harsh measures for illegally processing personal information.
As such, businesses need a data management and protection strategy to ensure they are complying with PoPIA. However, these measures need to be implemented in such a way that they don’t inhibit business owners from achieving other business goals – such as leveraging data for analytics.
PoPIA has changed the data management and protection landscape
Since the promulgation of PoPIA, organisations need to shift their culture to recognise that personal data is the property of the data subject (the person or business the data describes), and may only be used in such a way as to serve the legitimate business purposes for which it was intended.
The main thing around PoPIA is ensuring that access to data is contained; you don’t want to give people access to data that they shouldn’t have. For instance, a sales person in Cape Town does not need access to data for an individual or client based in Johannesburg. However, a sales manager for South Africa will indeed need access to data for all relevant individuals or clients around the country. With PoPIA in effect, it’s crucial to recognise that individuals need to have different levels of access to data, depending on the job description.
Recently, there has been a great deal of news focus on external breaches, such as cyber criminals accessing data. However, many breaches come from individuals who have legitimate access to the data. This often includes an organisation’s internal staff abusing the data or having greater access to the data than should be allowed, and then using it for illegitimate purposes.
Points of failure to avoid
Trying to operate at a system level is very difficult. Essentially, organisations need to have high-level data access policies in place which they need to define and implement centrally so that these policies can then be applied across all points of data.
Data needs to be protected at an attribute level, depending on the role (and therefore business need) of each staff member. Consistent attribute level access policies must ideally be centrally set and applied across multiple data sets.
Building ‘privacy by design’ into IT systems
‘Privacy by design’ is a notion of system design that aims to secure personal data by default. In other words, an individual's privacy is protected even if they do nothing to defend it. Designing for privacy reduces the risk to your business, your reputation and your customer. Good design should ringfence personal data using a combination of attribute-based access controls, encryption and masking. For new systems, this should be considered as a default option.
South African businesses need to create a compliance framework that includes processes and policies. A thorough gap analysis will help identify which processes and policies should be put in place. For example, these may include a personal information sharing policy, a security compromise policy, and a subject access request policy, amongst others.
Organisations should have automated systems in place that not only allow them to define their data management privacy policies, but that also enable them to measure compliance with those policies. To ensure the privacy and security of personal information, stricter data privacy legislation requires organisations to implement strict data processing standards.