Writing and Blog
A collection of my writing, musings, and opinion pieces. Please check back for updates!
Ross is available for technical and other writing.
Should you be interested, please get in touch!
As a Software-as-a-Service (SaaS) provider, you will often be what is known as an “Operator” (POPIA) or “Processor” (GDPR) in privacy legislation. While you do not hold the lion’s share of responsibility for compliance, there are some obligations that you have towards your clients. Whether you are a B2B platform or a B2C platform, there are measures you need to take to ensure that your clients and consumers are protected from a security and compliance point of view.
POPIA has been in motion for a while, but now that we’re in the grace period, I’m seeing many more Data Subject Access Requests (DSARs) at my clients. These rights allow for the deletion of a subject’s personal data on request (among others). While simple on the surface, it is goes a lot deeper and is quite tricky.
In short, the answer is yes, but they don’t have to be! You can have the best privacy programme in the world, but if your IT provider is not following your rules on it, you’re going to have a problem.
Within the software space, it is often the case that you will transfer data across borders (whether you know it or not). A transfer is not necessarily as blunt as taking a file from location A and transferring it to location B. Accessing file A from location B is in fact still a data transfer.
A few weeks ago I posted an article on ProjectSend, which is a great alternative to FTPS / SFTP when it comes to transferring files to and from your clients. Today, I’ll be doing a bit of a technical post that you can pass on to your IT team in order to setup your own ProjectSend server.
I have mentioned before in a few posts, that compliance to privacy legislation should be more of a company culture based exercise than a compliance checklist. A privacy-aware culture is one that can to a degree self-manage itself with staff members helping each other out as far as privacy is concerned, as opposed to relying on internal audit and a retrospective approach.
For ages, I have been looking for a Managed File Transfer (MFT) system to replace WeTransfer/FTPS for a number of my clients (and for myself). ProjectSend appears to be that solution!
In keeping with the ongoing practice of privacy compliance, you need to perform management reviews of your programme. While the acts and regulations are not necessarily explicit in conducting a management review, they do mention that the Information Officer needs to maintain a programme or framework, and part of this is ongoing review of activities.
As a software company, there are many components to consider in your Privacy Programme. Kicking off a privacy programme in a software company is adding more overhead to an already lean process, so how do you go about incorporating it in a familiar way? By releasing and managing your privacy programme the way you manage your SDLC.
The last few weeks has seen the privacy industry heating up here in SA, what with the introduction of POPIA. In these weeks, I’ve seen a lot of advice dispensed by non-specialists in the privacy field; some of it is valuable, but a lot of it is dangerous. This week’s post is a listing of the top 10 myths I see in advisory and questions from clients and workshop attendees.