Beyond backup and recovery – PoPI Act compliance requires understanding of how data is managed
The Protection of Personal Information (PoPI) Act, which came into force on 1 July this year, has compelled organisations to take a closer look at their data management in terms of how it is stored, what data is stored and for how long this data must be stored.
Essentially, this is the impact that the PoPI Act has had on businesses from an information management perspective. While local organisations have been aware of PoPI Act compliance requirements for a number of years, it has not really been a major talking point within organisations until now, purely because it has now become enforceable
The Act has also pushed organisations towards more effective data backup and recovery, with businesses putting controls in place to manage the content and time period for which they must or can keep their data.
In the past, organisations often deemed all their data to be important and would thus keep all this information indefinitely, but the Act stipulates that specific data must be kept for a defined period of time, specifically in terms of data that falls within the Personally Identifiable Information (PII) component of the Act.
More than backup and recovery
However, PoPI Act compliance extends beyond just data backup and recovery. Organisations need to conduct a business impact assessment to ensure that, in the event of data loss, they are able to restore the required data or face financial penalties and loss of reputation. . It would be fair to describe data backup and recovery as a company’s insurance policy on their data.
What the PII component of the PoPI Act has brought to light is that not only is it important to be aware of what data organisations are backing up, but that they also need to know what data they are creating, generating and protecting in their environment.
So from this perspective, it goes beyond backup and recovery, because we will eventually reach a point where companies will have to prove that they can report on sensitive data, as well as destroy this data in their various environments.
No evidence of compliance
Of course, a business can be negatively impacted if customer information is not properly protected during a backup. If the data is not protected and is destroyed, the company has no way of proving to a customer – in terms of the POPI Act – that their data has been appropriately disposed of. So, although the data isn’t there, there would be no evidence of its destruction and that would be a breach of the Act.
At the same time, it is quite a challenging task for any organisation to gain an effective understanding of their organisational data, or to report on what data is sensitive from a PoPI Act perspective. An organisation would either need to understand the nuts and bolts of every single IT application that generates data, or they would need a tool to scour their environment and do data discovery for PII.
Fortunately, tools are being released that give organisations the ability to discover data and draw up a dashboard to see where geographically their data is located if the organisation has geographic points. These tools can highlight any sensitive data or PII they find and inform the company what should be done with it.
PoPI Act compliance can be a very daunting task, but at least we have the advantage of learning lessons from other countries that have been through the process to comply with the requirements of the European Union’s General Data Protection Regulation (GDPR). Furthermore, a data management solution can significantly simplify the complexities that go hand-in-hand with the onerous exercise of compliance.