The recently passed Protection of Personal Information (POPI) act has wide-ranging implications for all South African businesses. Ovations Group’s Johan Dippenaar takes a look at some of the less obvious – but no less important – ones.
As more and more information is moved to more and more external destinations, companies face two major risks, says Johan Dippenaar of Ovations Group. The first is becoming targets for criminal activity. The second is failing to comply with changing government legislation and industry regulations that the Protection of Personal Information (POPI) Act necessitates.
As a result, companies need far greater security and audit capabilities, especially over Internet-based data movement.
Do you know where your data is?
POPI will significantly impact the way in which companies collect, store, process and disseminate information from and to clients, employees and customers. Given its scope, POPI is set to affect every company, even those who only hold their own staff’s information.
The bill seeks both to support the right of South African citizens to privacy of personal information, and to bring South Africa in line with international data protection laws.
Section 19(3) of the POPI Act of 2013 states that the responsible party must have due regard to generally accepted information security practices and procedures. These may apply to it generally or may be required in terms of specific industry or professional rules and regulations. In other words, ignorance is not an excuse.
As data movement grows within and between enterprises, it is becoming more important to effectively manage data transmission operations according to business priorities. Consequently, companies need secure data transfer and compliance mechanisms in place to move critical information both inside and outside of their organisations.
Old habits, new dangers
File transfer protocol (FTP) is a widely-used data-movement standard. It provides an unsophisticated and straightforward way to move files to and from remote platforms. However, unmanaged data movement can result in unproductive utilisation of network resources and unimportant or duplicate bulk data movement can impact critical data delivery.
There is, however, another possibly catastrophic set of security exposures that accompany the use of FTP. These, documented on the CERT website (www.cert.org), include the ability to use standard FTP commands to create a denial of service situation, or exploit known vulnerabilities within the FTP daemons to gain administrative or root access.
The cost of complacence
If personal information is compromised, PoPI stipulates that the affected parties have to be notified immediately. FTP is just one of the existing data transfer solutions that, like e-mail, has been a staple of the technology sector that companies are going to have to look at closely if they’re to comply with POPI and avoid the reputational, and potential financial, implications of breaches.
Person-to-person interactions are increasing and becoming as important to operational processes as applications are. Today, business users need to share many kinds of large files quickly and securely. As a result, there is no consistent way to deal with person-to-person file transfers, increasing the risk of exposing sensitive corporate data.
Knowledge of data movement and governance principles can help you help your business stay competitive. But, you may not be able to acquire this knowledge yourself because for most businesses, data management is incidental to their core business.
In that case, picking a suitably qualified partner to assist with POPI compliance is essential. An appropriate partner is one that understands the importance of on-time, predictable and secure data movement and is able to select products that fit particular performance, management and security requirements.
Companies have a year to comply with PoPI. That’s far less time than it sounds like, particularly where complex business processes are involved. Those companies looking to remain ahead of the legislation – and their rivals – have already begun working towards achieving compliance, shouldn’t yours be?