Over the last few years, I’ve had the learning experience of serving on multiple InfoSec (Information Security) committees. During this time, I’ve gained a knowledge of the South African Protection of Personal Information Act (POPIA), the General Data Protection Regulation (GDPR) in Europe, and most recently the Australian Privacy Act and its associated principles (APP). I have also had the honour of aiding in the development of a management tool for such acts and regulations during my time at Cura Software Solutions. In this time, and particularly during research on managing compliance to these acts, I’ve noticed that many companies globally see compliance to these regulations as “the IT department’s problem”. The truth is this is an incredibly dangerous assumption to make.
Many of the tools out there, particularly from companies that specialise in particular IT hardware niches, do not help this assumption in that they advertise their tools to be an end-to-end solution for GDPR. This is not to say they’re advertising falsely, for certain they are end-to-end compliance tools for their niche, but they don’t necessarily cover the entirety of GDPR, POPIA, and the multitude of other privacy laws out there. Sure, IT systems play a massive part in compliance, particularly around taking “reasonable measures” to secure data in accordance with the acts, but how much further out is the reach of these acts?
Think Human Resources
If your company processes the data of customers, it is in your interest to maintain that data. Data protection in all its permutations also concerns your employees and partners. It is of equal (if not more) importance to maintain the data of your employees securely. Records of medical aid details, demographics of employees, data on their dependents – these all fall into categories of special information that needs care beyond that of the standard data you may have of your customers (such as contact details and marketing information). In many cases, physical copies of documents containing this information will be stored in an office or store room. This is far beyond the control of the IT department.
Think Call Centre
In addition to looking after your employees’ data, you need to ensure your employees look after the data in their charge. If you have a callcentre, or even just a reception desk, it is vital that your teams know the effects of handling personal information. Impress upon them the fines and consequences that these laws impose – up to 20 million euros in the case of GDPR, and POPIA has the potential for jailtime for directors. Granted these are on the extreme side, and would be from complete disregard of the law, but the consequences are there. Social engineering, a practice where someone will pretend to be someone else in order to get their information is very real, and your employees handing out client information or even fellow employees’ information can have an impact. It’s up to you to ensure that there is awareness of this fact.
So what’s next?
These are just two examples of how privacy regulation extends beyond the control of the IT department. It is important that as a decision maker or leader in an organisation, you are not caught with your head in the sand (or your pants around your ankles). Delve into the laws, get to know how important they are, and build privacy by design into your company. Companies like Cura Software offer tools that manage your compliance across the board, while consultants such as myself are able to come in and educate you and your staff on how to handle data. Having had my identity stolen a few years back, it’s close to my heart that people know how to look after data!
Deadlines have already come and gone for GDPR and the world is ushering in a new age of respected privacy, best we all get on board sooner rather than later!