Safeguarding Data: Technology

For small businesses, their choice in technology solutions will be key to making or breaking their compliance with the requirements of PoPI. The PoPI Act says that responsible parties must take “appropriate, reasonable technical and organisational measures” to ensure the integrity and prevent the loss of information. As discussed in previous sections, businesses and business owners will no longer have an excuse for not taking electronic security seriously. Responsible parties will have to up skill themselves to a level where they can participate in the implementation process of technology or at the very least effectively participate in the decision making process.

• Local is better. Do not rush out and start buying just any recommended or popuar international software product. For purposes of PoPI it woud be best to partner with software vendors who understand and have experience with PoPI and the South African environment. Many businesses have limited budgets and time constraints to implement solutions, so partner with someone who understands your business and can commit to a long term relationship. You woud not want a partner who is going to sell you a solution and then leave you with the responsibility of the implementation after they installed the software. Look for an end-to-end solution provider or facilitator.
• Set aside a budget for consulting, implementation and training on software. The software cost is only one part of the expense in implementing the solution. In our experience the software costs versus training and implementation costs is typically 1:3 or 1:4 for a known type of business, i.e. if your software costs R5,000 then be prepared for consuting fees of between R15,000 and R20,000. Assistance from the vendor will be critical to its success. Consider that by not spending money on consuting you may end up losing the R5,000 software investment and have to start from scratch, now with additional change management considerations and a team that is no longer motivated.
• Just because it says “PoPI Compliant” does not mean it is. Vendors must be able to demonstrate where they fit into the big picture and how their solution addresses specific requirements of the PoPI Act, not just one. Do not be so focused on trying to do something that you end up doing the wrong thing or only to soothe your conscience. As explained before PoPI must be approached from a BNS perspective or else you will be buying solutions that focus on backups, archiving, sales, etc. without solving the PoPI challenge.
• Consider all aspects of electronic communications. How and where do you store faxes, sound recordings, photos, etc.? Make sure these are controlled in the same way as text-based information and in a way that is structured so they are easy to find and remove should the owner request this.
• Technology must be flexible and easy to adapt to your business requirements. Make sure you choose a solution/solutions that is complementary to your business environment and where you can take over the management of it in the long run so you are not reliant or dependent on other parties to configure and maintain it for you (unless you want to).
• Reach out and join forces. The Act says that responsible parties “must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rues and reguations.” This is quite a responsibility, especially if “IT is not your thing”. You will need help, so get involved and share information with other likeminded individuals or similar types of businesses. At WorkPool we have forums where business owners and/or key resources can come together and discuss as well as share their knowledge and lessons learned, extending beyond security into other aspects of the business. By joining forums and interacting with other parties who face the same challenges your business ends up being better and stronger. There may even be an opportunity to share costs and combine implementation efforts.
• The Act says you must maintain your safeguards and regularly verify that your safeguards are still adequate, i.e. working the way they are supposed to. So set recurring tasks as reminders for checking and updating software and perform regular tests to confirm measures are still in place. Installing the software is not enough, you have to maintain it and ensure it does its job.
• Implement more stringent username and password policies, especially for systems that are accessible via the Internet. In this case, people are typically the weakest link. Consider that it can take only a few seconds to brute force crack a system with simple usernames and passwords. When a member of staff leaves your employ, close their accounts and change shared passwords. Do not allow any default (out of the box) username and password combinations, especially for Internet related services and devices (such as routers).
• Invest in early detection software to warn you when an attack occurs. It is better to know about it and take immediate action to limit the potential damage than it is to fix it afterwards. When we, for example, detect suspicious or non-standard behaviour on one of our Cloud servers we can take immediate action to protect other systems before the problem becomes more serious.
• Limit electronic access to personal information and prevent or limit the ability to copy and/or send data from systems. Bear in mind that the primary location of data as well as the reason for granting access to it may change over time. Your system and processes must allow for this. For example an operator who is only involved in the initial capturing stage may not necessarily have access to this information upon completion of his/her duties; just as a Project Team or Support Department should only have access to information of customers they consult or provide a service to. If your system cannot handle this type of access and controls for you, your processes may become quite long and complicated.
• Protect physical media by using mature encryption software to protect devices like laptops, tablets and mobile phones. Remember: If you lose any device with personal information on it you have a responsibility to notify those parties affected. Don’t add it to a device if you do not have the ability to secure it.
• Is your website hosted locally or at an international service provider? Is your website hosted on a shared or dedicated server environment? You better find out as the shared environments are typically much cheaper, therefore more popuar, but potentially more risky. Who is responsible for the security of the website and keeping software up to date? Many providers sell you the server hosting but then make you responsible and accountable for the updates.
• Do you publish customer and/or partner specific information on your public website? If so, do you have their written consent?
• Secure your backups. Store data in a secure location and encrypt information. Make sure your disaster recovery (DR) strategy complies with PoPI.
• Choose your service providers carefuly. This is discussed in the next section. Make sure you select an appropriate partner who can help you to navigate these technological requirements, who take PoPI as seriously as you do and can be trusted with your information. It woud be a good idea to ask them how they deal with PoPI in their own business.
• There are of course many more practical considerations and actions you can take in respect if safeguarding information through technology. Our Implementation guide will discuss this in a lot more detail and suggest strategies on how you can centralise your data and limit or manage access using processes.