The full implementation of the Protection of Personal Information Act heralds a new era of control and privacy for South African citizens and organisations, and holds the promise of deepening trust between organisations and their customers – provided organisations remain fully compliant.
According to Cameron Beveridge, Regional Director Southern Africa at SAP, trust is the key to success in the digital economy.
“Privacy and trust are essential elements in building strong connections with customers and ensuring a positive customer experience (CX) in today’s business environment.”
“In fact, some studies have found that up to 90% of customers believe how their data is treated is indicative of the way they will be treated as a customer, and 91% won’t purchase from a company if they don’t trust how their data will be used.”
Cyberattacks complicate compliance
Protecting customer privacy and data is complicated by a growing global cybercrime industry that has increasingly targeted the supply chains of major organisations and economic powers.
Recent ransomware attacks on key US infrastructure have garnered front-page attention. In one example, cybercriminals successfully shut down the Colonial Pipeline, effectively halting 50% of the supply of petrol and diesel to the US East Coast.
With data breaches costing South African companies on average R20.2-million in 2020, and the Protection of Personal Information Act now fully in effect, the stakes for protecting systems from data breaches have never been higher.
“Enterprise resource planning systems are nerve centres of modern intelligent enterprises, making them prime targets of cybercriminals,” says Beveridge.
“Attackers know these systems run business-critical applications and house sensitive information, so any data breach could provide access to information they can later use in the service of cybercrime activities.”
Taking ‘all reasonable steps’
One of the key requirements of POPIA is that organisations have to ensure they take ‘all reasonable steps’ to secure the data of their customers, partners, suppliers and employees.
“The best run organisations have integrated end-to-end processes that cover the entire breadth of their operations,” explains Beveridge.
“The productivity and efficiency gains resulting from this are undeniable. However, the wealth of data processed and stored by such systems creates an attractive target for cybercriminals.”
The amount of transactional data in typical ERP systems, for example, represent a veritable gold mine to cybercriminals, as does the information about vendors, suppliers and partners.
“The more cybercriminals know about the internal operations of a business, the easier they will find vulnerabilities to exploit. However, it’s not only cybercriminals that pose security or compliance risks.”
Research conducted by IBM and the Ponemon Institute found that the three main causes of data breaches in South African businesses were malicious or criminal attack (48%), human error (26%) and system glitches (26%).
“POPIA adds further pressure on organisations by both raising the bar for privacy management and by its extensive reach and applicability within modern enterprises,” says Beveridge.
“Organisations risk underestimating the level of effort required to implement the necessary process and technology changes to be compliant.”
POPIA tips for security and compliance
Beveridge believes the following tips can assist organisations as they strive for full POPIA compliance while also safeguarding their critical business IT infrastructure from malicious attack or negligence.
Maintain balance – effective data management can give organisations a competitive edge, but proper assessment needs to take place early on to ensure regulatory compliance.
Keep it simple – organisations should simplify their governance by establishing a governance model that is aligned with requirements and best practices, and start by evaluating their readiness for POPIA compliance.
Stay on top – by operationalising privacy management and incorporating ways to identify business processes that need to meet privacy compliance requirements, organisations can keep a close watch on any internal processes that should be changed to remain compliant as the business evolves.
Automate away – data mapping or data crawler solutions can reduce the time and effort needed to identify all repositories of personal information, as well as their owners within and outside the organisation.
Educate employees – every employee needs to understand their responsibility under POPIA, which requires regular and ongoing education and training. Organisations should prioritise a process of ongoing POPIA and cybersecurity training to ensure alignment throughout the business.
Integrate threat detection – an enterprise threat detection solution can provide insight into suspicious activities in an organisation’s ERP and related business applications, allowing the organisation to identify breaches as they occur and react in real time to neutralise any dangers.