POPIA and GDPR: just focus on best practice data protection

Compliance with the looming GDPR enforcement is simply a matter of tweaking POPIA and general best practice models for data protection.

With Europe’s General Data Protection Regulation (GDPR), set for enforcement on the 25th May 2018, South African companies of all sizes dealing with the personal data of European residents should be focusing on their ability to comply. On top of GDPR, the South African Protection of Personal Information Act (POPIA) sets out fairly stringent guidelines for data protection.

Many local companies still fall short in terms of legislation such as GDPR and POPIA, and find themselves increasingly pressured to understand exactly what they need to do to ensure their data management is compliant.

The good news is that the GDPR and POPIA are simply different flavours of best practice data protection laws, and it is in the best interests of both customers and companies to comply. These laws are actually quite similar to each other and by ensuring you are compliant I believe there is a real business case that can provide you with competitive advantage due to the implementation of best practice guidelines that are designed to protect everyone.

When South Africa enacted POPIA, there was no clear indication of what the GDPR would look like, and there were concerns the GDPR would be radically different from POPIA, forcing a significant change in POPIA.

However, it has emerged that the GDPR is essentially an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR effectively protects data privacy in the risk environment we live in. However, it is clear that GDPR, like POPIA, are striving to enforce better data protection and privacy practice across the digital realm. Over time, regulations may change, there are core principles that all companies should adopt, whether they are listed entities or not. These include international best practice, best practice outlined in the KING Code of Practice III/IV, and the laws of South Africa including POPIA, The Electronic Communications and Transactions Act and the Consumer Protection Act.

For those who already apply best practice and have moved to comply with POPIA, GDPR will not bring a great deal of change.  It does, however, require fast action as the date is already set in stone.

By following these principles, companies will be in a position to align with global best practice and evolving legislation:

EXECUTIVE AWARENESS

GDPR/POPIA affects your business. It’s not simply a security issue. If your organisation wants to keep up with global competitors and do business with EU citizens this is everyone’s issue. You have to get your entire executive team and the board on the same page, and in order to mitigate and continuously manage this, you need to name a Data Protection Officer (DPO).

PRIVACY OFFICE

Once you have the executive team on board—with funding and full commitment—it’s time to organise your privacy office. This should really be a full network; your entire organisation should be looped in and everyone should be accurately updated on regulations and rules. Your DPO needs to align a privacy counsel and program manager to help roll out GDPR/POPIA compliance all the way from the CEO to sales and marketing and support to IT ops, and so forth.

MAP PROTECTED DATA

Everyone’s on board? Great. Now it’s time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it used? Take an in-depth audit now. Is PII transferred across borders? Why and who is it shared with?

OPERATIONAL IMPLEMENTATION

It’s time to build and customise your company’s processes and Incident Response Process (which must happen within 72 hours under GDPR). Your DPO should also assess your third party vendor risks at this time. Be thorough.

AWARENESS AND TRAINING (REPEAT)

Build new specifics into your new-hire training, but don’t forget about ongoing technical training for senior staff. Make annual security training mandatory and brief your executive leadership on new GDPR/POPIA readiness.

Continuous compliance, detailed mapping and auditing of the “why” and “how” of your customer’s PII and data, and setting up a strong privacy team with a Data Protection Officer who knows the importance of getting buy-in from the board will keep your company compliant.

Do not forget that policies are merely a start, yes a great start but implementation of these policies will only be achieved through ongoing monitoring.  The latter is crucial to success. 

Most of this can be outsourced. Policy is the starting point, action is compliance. As case law evolves let us all make sure that we have done everything within our power to be compliant and use data privacy functions as a competitive edge.

By John Mc Loughlin, Managing Director at J2 Software

First appeared on ITWeb Industry Insight