Writing and Blog
A collection of my writing, musings, and opinion pieces. Please check back for updates!
Ross is available for technical and other writing.
Should you be interested, please get in touch!
With only around 50 (rough estimate) privacy consultants and law firms that are specialised in the space, there is a mad scramble for assistance in the murky water that is compliance to POPIA, with most (if not all) of us fully booked into July, August, and beyond. So, what do you do if you’re running late and looking to comply? I approached a number of colleagues in the privacy space asking for their top 3 to 5 tips of things that you need to focus on RIGHT. NOW.
Classification of data within your possession is not necessarily something that a lot of companies (particularly smaller ones) think of, but the practice is becoming a regular requirement of security attestations and Data Processing Agreements (DPAs). Within the privacy and information security spaces, different types of information are treated differently, be it relating to how it is stored, or even where it is transferred.
Privacy and Cyber Security don’t just start at the point where your product is released, they need to be embedded much earlier. Integrating these aspects into your SDLC (software development lifecycle) early on is key to complying with your obligations in terms of privacy laws as well as meeting the expectations of an increasingly aware consumer.
Everyone should be moving down the line with their Data Protection Programmes at this stage, however, there are some common blindspots you need to be aware of in the privacy space. In this article, I’ll break down three of the top unexpected sources of data that I find regularly during gap analyses.
Ross G Saunders Consulting is expanding! We are looking for a talented graduate with a year or two’s experience to join the team full time, complimenting and supporting outsourced consultants, clients, and partners.
There has been a lot of talk around Information Officers when it comes to POPIA (Protection of Personal Information Act) and PAIA (Promotion of Access to Information Act), with a guidance note recently released by the South African Information Regulator. The note details a lot of the who and what that you need to know in terms of this vitally important role in terms of the law.
We hear it all the time, "you have to have POPIA policies!", but what exactly does this mean? A number of companies that I've spoken to take policies as being the be-all-and-end-all of POPIA (though I suppose that's a step up from it being all about consent). Yes, you...
I work with a number of software and design agencies that host Software-as-a-Service solutions or other forms of web based applications. Part of what I do is assess how secure the application is, and how privacy may be affected. In performing these assessments, we dive in to how the application is put together, but also how it is secured from an infrastructure point of view. What I have found is that while companies are generally really good at taking security into consideration, the approaches to security are often out of date or based on bad advice.
What is the fastest way to shut down a privacy programme? It’s not a breach, breaches can make programmes stronger. It’s not budget, there’s a lot you can do with very little budget. Company culture, however, can reduce a privacy programme to nothing before it even gets out the starting gates.
Something that bugs me immensely in the quest for privacy and information security, is the vast chasm of disconnect between big corporate / enterprise and niche software companies when it comes to data protection. It’s something I tend to notice more and more in that I mostly deal with software companies, start-ups, and managed service providers.