How ready are you to manage a data breach?

LAST month saw the uncovering of South Africa's largest data leak to date, which revealed that the personal data records of over 60 million individuals have been made publicly available, placing them at risk of identity theft and other cyber related crimes.

This has awakened a renewed interest in the looming enforcement of the Protection of Personal Information Act (PoPI).

Had PoPI already been in play, the organisation responsible for the data leak, Jigsaw Holdings, would have to be held accountable not only for its failure to act in a manner that proves its dedication to protecting personal information, but also for its failure to notify the incumbents suitably and in time

While many organisations have viewed PoPI as a necessary evil, the benefits of compliance - and underpinning data governance structures - are quickly being realised.

Yet one of the biggest mistakes that organisations make when it comes to PoPI compliance is thinking that it exists primarily to protect data from external attacks.

Many companies assume that because they have the necessary data security measures in place, they are covered. Data security, however, is only one of the components of PoPI compliance and, if a breach does occur, the organisation still carries a considerable responsibility towards the remaining seven components.

This begs the question: how ready are South African organisations to manage a data breach, should one occur?

PoPI and the governance link

The PoPI Act was promulgated in 2013, and requires companies to take - and be able to prove - adequate precautions against data loss. It signals a shift in how organisations think about data privacy, moving the focus away from the actual data towards the fundamental rights of the data subjects themselves.

PoPI requires that organisations put processes in place to ensure that personal data is used only for the purpose for which it was intended, that it is protected from unauthorised access, and that there is accountability. This accountability requires that organisations take the necessary steps to notify both the rRegulator and the data subject in the event of a breach - something that failed to happen with the recent mass data leak.
Most importantly, PoPI requires that sound data governance principles are proven to have been in place throughout the life cycle of personal data. A data governance policy which ties into the eight pillars of PoPI will not only serve to reduce the risk of breach but will also ensure that, in the event of a breach, the organisation is able to protect itself and minimise the repercussions.

The requirements

PoPI outlines eight components, or pillars, for compliance. They are as follows:

1.  Accountability - ensuring that the organisation is responsible for the manner in which it processes personal data, and manages breaches.
2.  Processing Limitations - outlines the limitations that an organisation needs to work within, in order to process personal data.
3.  Purpose Specification - defines that personal data may only be retained and used for specific purposes.
4.  Further Processing Limitation - detailing the requirements for additional use of personal data beyond its original purpose.
5.  Information Quality - outlining the requirements for data quality.
6.  Openness - explains the level of transparency required with regards to processing, use, storage and possible breach of an individual’s personal data.
7.  Security Safeguards - defining what security measures and proofs are required to protect personal information, including access authorisation and notification of security compromises.
8.  Data Subject Participation - outlining the parameters for the organisation’s interaction with the data subject in terms of access, data correction and use of their data.

These components are all manageable under a proper data governance policy, which exists to guide an organisation on how to best access, manage, store and use personal data as well as who may do so.

Simply put, if everyone in an organisation knows their own role and limitations with regards to the handling of personal data, and is following proper governance structures, the risk of breach is dramatically reduced.

Setting up a data governance strategy

Data governance comprises three parts: policy, implementation (echoing the PoPI Act’s requirement), and education. The policy outlines an organisation’s responsibility towards personal - and other - data, including who may access and use what data, and how.

The implementation governs the delivery of proper measures to, for example, secure the data, incorporating both data security tools and the processes that organisations follow to secure data. Implementation must also define the process that will be followed in the event of a breach.

Education, however, may the most important aspect of data governance. This requires clearly communicating to everyone within (and even outside of) an organisation their responsibilities with respect of (and other) personal data, what they have to do to ensure proper use and security, and what the ramifications of non-compliance are. 

Creating, defining and implementing a data governance policy that complies with PoPI Act (and GDPR, if required to do business in Europe) is an ongoing exercise, particularly where large quantities of data are involved.

However, it can be achieved with the help of specialised organisations who are able to understand your business, the risks involved and how to define, or redefine, the processes and mechanisms that enable a sound data governance policy - one which will ensure your business is prepared in the event of a data breach.

  • Gary Allemann is managing director at Master Data Management. Views expressed are his own.

* Sign up to Fin24's top news in your inbox: SUBSCRIBE TO FIN24 NEWSLETTER

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For 14 free days, you can have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today. Thereafter you will be billed R75 per month. You can cancel anytime and if you cancel within 14 days you won't be billed. 
Subscribe to News24
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot