The requirement around safeguarding of data probably has the biggest and most challenging implications to businesses. You can no longer look at and manage your business as being made up of separate, independent parts, but rather, must connect all the pieces when it comes to effectively managing personal information. Therefore, with all due respect to other niche or horizontal software applications such as CRM, email communications, workflow, time management, and so on that focus on only one aspect of the business, PoPI is not something you can solve on only one level or with a “silo approach”. A practical, cost effective solution requires a holistic approach to unify your systems and resources. These issues are discussed in much more detail in the BNS Architecture and Implementation Guide.
Step one: is to make sure YOU are not the weakest link when it comes to protecting your own information. The Act cannot protect you if you are the one deliberately making your personal information public by, for example, publishing it online or sharing it with third parties (locally or abroad) when you have not confirmed their identity and where they do not comply with the conditions as per law. Be careful that you do not start pointing the finger when you could be the one at fault and/or it can easily be proven that your information is obtainable from another source.
Step two: irrespective of how secure you think your solutions, rules and procedures are that you put in place – prepare for the worst, as per our previous section on dealing with complaints. If you can, put insurance options in place to protect yourself. There is no excuse of course, but the reality is that if the biggest governments and security agencies in the world cannot protect their own information all of the time, the chances that a suitably motivated and skilled individual (or group) can get access to your information is quite high. In this instance, we are sorry to inform you that what you see in the movies about “hackers” is much closer to reality than science fiction. The Internet information highway is littered with personal information “gold” and attracts a lot of attention from the wrong type of crowd. It is very often more a case of how attractive a target you are (i.e. value of the potential payload) and less about how vulnerable your systems are that makes you a target. There are obviously still many companies who are simply grossly negligent or ignorant in the management of their systems and who do not apply themselves to acquire the knowledge they need or appoint someone who does. People need to realise that as a business owner, protecting other people’s personal information is now part and parcel of the deal. Do with other people’s data as you would have them do unto yours.
Step three: simplify to reduce risk by covering all the bases. The Act says that businesses must “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control”. This condition can be quite daunting (if not overwhelming) if you consider information above, especially since it extends to the actions of staff and “foreseeable” events such as theft (e.g. of laptop, tablet, mobile phone), etc. For purposes of discussion we have broken this requirement into the following parts with the implementation advice and suggestions for each in our Implementation document:
- Process (Operations)
- Service Providers and Software as a Service (SaaS)
- Public and Private Cloud