Securing personal information


PoPI offers the channel opportunity, but don’t overlook the implications for your own business, warn the experts.


It’s been a long time coming (although elements have existed in various forms for a while), but the Protection of Personal Information (PoPI) Act seems now to be entering the home straight. Enacted in November 2013, we’re still waiting for clarity on when the framework legislation will commence. Organisations, however, will have one year to become compliant once that date is set.

With so much information residing on IT systems, it’s certainly an issue that affects the channel. The smart channel companies will recognise that PoPI offers business opportunities, such as advising clients on the pitfalls and providing compliant solutions. But, tempered with the opportunity are potential internal operational issues to be addressed for self-compliance too.

PoPI is currently the most comprehensive piece of privacy legislation in the world, so says EY’s South African IT Risk Advisory team, comprising Russell Opland, associate director, and Thagraj Moodley, senior manager.

According to Opland and Moodley, one of the aspects of PoPI that may catch some organisations unaware is that in addition to protecting the information held about individuals (including customers and employees), companies are also going to have to safeguard the information held about organisations – whether that’s customers, business partners, vendors or suppliers.

Francis Cronje, an information governance specialist who advises large entities on the impact of PoPI, states the reverse is also true. Business partners, vendors and suppliers could also be held accountable for any data they consume and, importantly for those offering cloud services, store on behalf of their clients.

Local cloud

Another consideration for those offering or reselling cloud is that, under PoPI, there are good reasons for South African companies to store their customers’ data in the locally-hosted cloud. The Safe Harbour Agreement exists between Europe and the US and allows data transfer within areas that might not have adequate data protection legislation.

“South Africa doesn’t have this kind of arrangement with the States,” Cronje says. “As many cloud solutions are based in the US, for me, that creates a huge dilemma – not just in terms of security but if it comes down to jurisdiction, it’s going to be very difficult to fight a court battle in the US to gain access to my data.

“South African companies therefore need to offer all these safeguard solutions and explain how they can benefit a client. It’s important to know whether they have their own datacentres or locally-based service providers, or do they merely act as a conduit of a bigger cloud provider.”

Ostensibly, this presents a huge advantage for those offering locally-hosted cloud services as they can promote that these services are local with no jurisdiction issues.

The path of least resistance

Safe-guarding customer-specific information is quite challenging from a managed service provider (MSP) and cloud perspective, believes Eren Ramdhani, solution strategist, CA Southern Africa. “Lots of cross-border information flows will have to be taken into consideration.”

Ramdhani goes on to note that PoPI also presents an opportunity for channel companies to revise master service agreements and contractual obligations with both existing customers and vendors.

He believes it’s in the channel companies’ own interests to embrace PoPI. “It would only serve as a protection measure for themselves in terms of being held accountable for inadvertent loss of data or even the malicious type of loss.”

Looking closer to home

Ramdhani advises that channel companies use this as an opportunity to review their own data handling processes. “If you unpack PoPI into the eight conditions, it really isn’t anything new, it just gives reason for other frameworks and best practices that already exist but might not need to be complied with as seriously,” he says.

PoPI does require organisations with legitimate reasons for collecting personal information must destroy that data once it has fulfilled its purpose. Defaulting firms could face punishment of up to R10 million fines or ten years’ jail time for the executives responsible.

Ramhandi offers a recommended approach to apply to client-facing services, but that could be adapted for internal processes too. “Initially, try to prevent lots of technical controls that could be an unnecessary cost. Generally, if an MSP revises its own internal behavioural practices in terms of internal use policies and in terms of possibly making staff members sign NDAs, those could be cost-effective measures.

“Behavioural change and creating awareness for MSPs is a start, but MSPs also need to be ready for customers that are quite strict – as in using the customer’s own assets to prevent data from leaving a customer’s site. They need to be open to the fact that customers might insist on having agents on their accounts, so as to prevent data from leaving the organisation – that’s a different mindset for MSPs because they will work differently and will find they have to align themselves to what the customer adopts.

“And lastly, create awareness guides,” says Ramdhani. “If your staff know the implications to the company of their actions, they might be more mindful of what processes are not okay.”

Channel opportunities

Beyond the cloud and channel companies’ own operations, PoPI and compliance unlocks all sorts of potential business for the channel, says Fred Mitchell software division manager, Drive Control Corporation. “PoPI opens up opportunity for the channel but I don’t think channel companies know enough yet. The guys that are however moving on it have a great advantage because end-users and end-user organisations have to adhere to the law.

“From a security perspective: How is the information protected? Where does it sit? What barriers block access to the information? And what alerts are there once someone has accessed information? Also, if and when someone has accessed information, they should not be able to encrypt it.”

Bryan Balfe, enterprise account manager at CommVault agrees. “This is a chance for channel companies to gain a competitive advantage to market themselves as compliant. You then look like a safer pair of hands, which boosts your reputation, your brand and the trust in your company.”

Balfe’s final recommendation to channel companies is: “Get a view on PoPI, understand it yourself and how it pertains to your organisation. Know how you could help your customers with a service you already supply them with. This will increase efficiencies and produce massive potential for saving,” he concludes.

Pull quote:

“PoPI opens up opportunity for the channel but I don’t think channel companies know enough yet. The guys that are however moving on it have a great advantage.” Fred Mitchell, Drive Control Corporation

sponsored by
sponsored by