The moment has arrived: last week the Protection of Personal Information Act (PoPIA) came into force.
It hasn’t been sprung on us, the process has been ongoing and businesses have been anticipating their compliance obligations for years.
PoPIA, much like the General Data Protection Regulation (GDPR) in the EU, exists to support the protection of personal information processed by public and private organisations. There are strong penalties for noncompliance.
PoPIA is Live
Now that the Act is live, there are several ramifications for businesses, but a few – anecdotally at least – have given executives more sleepless nights than others.
Companies must allow data subjects to object to their data being processed, as well as have the right to revoke previously given consent at any time. When a company receives this withdrawal of consent it needs to stop processing that subject’s data immediately.
Beyond this, if there is no longer a demonstrable need to process data, in other words, if there is no need to actively use the data for what was initially intended when the subject gave express permission, the company loses the right to hold onto that data unless required to do so by law.
In addition, organisations must take reasonable steps to ensure the personal information in their possession is accurate and not misleading, they must maintain records of data processing while also taking steps to ensure that the data subject is aware of which information is being stored.
Data subjects also need to be able to access their personal information and update it.
Security in the Age of PoPIA
Security is an important part of PoPIA. Organisations need to ensure the safety and integrity of the data they process, and they have the responsibility to ensure that providers that process data maintain security standards.
They must also notify the authorities as soon as is reasonably possible in the event of a breach or compromise.
In a nutshell, businesses are accountable for ensuring the lawful processing of data. Of course, there will be teething issues, even though PoPIA was promulgated in November 2013. It is live and enforceable from 1 July this year.
One of the main lessons was that companies that started their preparation long in advance were in a better position once that legislation went live, but perhaps the biggest lesson was the need to evolve towards modernising data backup and protection.
Modern Data Protection in the PoPIA era, much like it has been since GDPR went live, involves companies knowing their data, managing the data, properly securing and protecting the data, being on top of documentation and compliance, and continually improving the efficiency of their systems.
Mass migration into the cloud is enabling businesses to make use of a myriad of applications and technologies to help them achieve these outcomes.
Because of this, businesses have larger and more diverse pools of data to manage, and with that an increased need to have the data available, secure, and useable. To compound matters, they must retain customer trust in a world where cyberattacks are on the increase.
They can do this by deploying a strong, compliant foundation of data backup and intelligent data recovery.
Essentially, Modern Data Protection should be built on the fundamentals of best practice, many of which are reflected in regulations.
Insights from Veeam
Two former industry analysts, who have joined Veeam as Vice Presidents, Jason Buffington, and Dave Russell, held an interesting conversation in a Veeam series about modern data management where they noted that regulation merely sped up, and added budget to, activities that should be undertaken by responsible companies anyway.
They said that IT teams are aware of areas where inadequacies lead to missed service level agreements. It’s not uncommon to hear IT departments say that they are expected to do more with less.
Regulation, much like we have seen with GDPR, and more recently with PoPIA, means that an enterprise’s data strategy must have a strong focus on modern data protection. With regulatory requirements looming, executives have asked how this perceived extra requirement would be enabled, whereas by deploying a modern platform that achieves high backup success, properly secures data, and the ability to restore rapidly, they’d have met a substantial proportion of regulation compliance anyway.
Buffington and Russell argue, correctly, that most regulations around the world don’t require entirely overhauled practices because Modern Data Protection platforms are doing them already and are always evolving.
Seen this way, being forced to address data management, albeit with the spectre of PoPIA, forces enterprises to rethink their strategies and implement new Modern Data Protection tools and policies, that if done correctly and with the right partners, improve operations and unlock new business value – all while being compliant.
That’s a win-win scenario for data subjects and businesses.
By Chris Norton, Veeam Software’s Country Manager of Africa.