Are you ready to manage your own data breach?


“breach”

  • An act of breaking or failing to observe a law, agreement, or code of conduct.
  • A break in relations.
  • A gap in a wall, barrier, or defence, especially one made by an attacking army\

Oxford English Dictionary

Last week’s revelation that the personal information of over 30 million South African has been compromised. The exposure places millions of South Africans at significant risk of identity theft and related cyber crime.

Ironically, just last week we posted that the regulatory need to protect sensitive data is a key driver for data governance

Data Privacy and Data Governance

Protection of Personal Information Act

The Protection of Personal Information Act (PoPIA) was promulgated in 2013 and requires companies to take adequate precautions against data loss. In addition, the Act requires that companies take urgent steps to notify both the Regulator and the data subject of any breach.

The Act allows plaintiffs to seek damages for compensation for losses suffered as the result of a breach, along with aggravated damages and interest.

Global Data Protection Regulations

In Europe, the Global Data Protection Regulations (GDPR) are similar regulations affecting business holding data related to EU citizens. Many larger South African firms are directly affected, as they do business with, and in EU countries. GDPR requires that breaches must be reported within 72 hours to allow the injured party to take precautions.

We should also remember that many other African countries have their own similar laws. Companies doing business in the rest of Africa should understand the implications of managing data that may shift from jurisdiction to jurisdiction, and ensure that adequate governance in is in place to ensure compliance.

Failure to comply has consequences

The legal consequences for noncompliance – such as a breach – may range from civil suits, to criminal charges, fines and even prison sentences.

The reputational impact, should also not be underestimated, Would you continue to do business with a company that lost or sold your personal identifiers or contact details to unknown third parties?

(are you ready for GDPR? Take Collibra’s snap quiz)

Data Governance is a necessity

GDPR and PoPIA signal a shift in how we think about data privacy. These acts move the focus away from the data – those bits and pieces of information typically flagged for privacy – to focus instead on the fundamental rights of the data subjects.

PoPIA requires that organisations put processes in place to ensure that data is only used for the purpose for which it was intended, that data is protected from unauthorized access, and that there is accountability for how data is used within the business.

At its core, PoPIA requires that sound data governance principles are proven to have been in place throughout the life cycle of personal data.

The key requirements of PoPIA are summarized below and linked to their applicability at different stages of the data life cycle.

POPIA and the data lifecycle

Accountability

  • Responsible party to ensure conditions for lawful processing
  • Processing Limitation
  • Lawfulness of processing

Processing Limitations

  • Consent, justification and objection
  • Collection directly from data subject

Purpose Specification

  • Collection for specific purpose
  • Retention and restriction of records

Further Processing Limitation

  • Further processing to be compatible with purpose of collection

Information Quality

  • Quality of information

Openness

  • Documentation
  • Notification to data subject when collecting personal information

Security Safeguards

  • Security measures on integrity and confidentiality of personal information
  • Information processed by operator or person acting under authority
  • Security measures regarding information processed by operator
  • Notification of security compromises

Data Subject Participation

  • Access to personal information
  • Correction of personal information
  • Manner of access

Collibra Data Governance Center

In the EU, the impending deadlines related to GDPR have driven investment in tools like the Collibra Data Governance Center – which automates the complexity of governing enterprise data.

The Collibra DGC helps your staff to find, understand and trust tour data, provides graphical views of how data flows between systems or across borders, automates critical data governance processes with off the shelf workflows, and proves that the organisation has taken steps to hold staff accountable for compliance to privacy laws.

In South Africa we are still largely focussing on just ojne of the seven pillars – data security

It is time to take data governance seriously!

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s