South African businesses are all aware of the pending Protection of Personal Information Act (POPI) and the implications thereof when it eventually becomes law. However, what they might not be considering is that the European Union's General Data Protection Regulation (GDPR) is a more pressing issue for local companies than is POPI. GDPR comes into effect on 25 May 2018 and there appears to be uncertainty about the extent to which it will impact businesses outside of the EU.
Gary de Menezes, Country General Manager, Sub-Saharan Africa at Micro Focus, explains why South African businesses should take note of the pending GDPR legislation.
There are several fundamental differences between GDPR and POPI. The biggest difference is that POPI is legislation dependent and relates to businesses that store data. GDPR, on the other hand, is not legislation dependent and applies to all businesses that control, process or store data. De Menezes says, "We have to wait for the POPI Act to be passed, and while the expectation is that it will come into force once GDPR is enabled, there's no guarantee. This has made South African businesses complacent and the majority of them won't be compliant in their handling of personal information as of 25 May."
What's worse, they might not be able to be compliant by the May deadline, says De Menezes: "The ‘go-live' date for GDPR was set two years ago, so EU companies have had that length of time to become compliant. South African companies are only now realising that they might have to become compliant too."
He goes on to explain, "Any company that has data that it controls or processes for any EU client is bound by EU law, and many South African businesses have EU clients. Consider the capturing of foreign visitors' fingerprints at the airport as they enter the country, or a business that distributes its newsletter to EU citizens. Performing any transaction whatsoever with an EU citizen or business makes the local company subject to GDPR. And the legislation applies equally to physical and digital data."
Marianne van der Pluym, Security Portfolio Sales Manager: South Africa at Micro Focus, adds, "Non-compliance with GDPR can attract a fine of up to €20-million or four percent of global turnover. That's massive for a South African business. In addition, there's the possibility that a legal claim could be initiated against a non-compliant business that exposed EU citizens' personal information as a result of a data breach. Over and above the financial implications, there's the reputational damage that's caused when companies lose personal data that they're entrusted with."
Over the past year alone there have been some well-publicised breaches and hacks, and some companies have closed down as a result thereof. Van der Pluym says, "South African businesses that are GDPR compliant will have more credibility with customers, investors and other stakeholders because they're seen to be adhering to an international standard in terms of protecting their data. The competitive advantage that this provides is undeniable."
What is GDPR compliance?
Simply put, GDPR compliance encompasses a combination of technology and processes to protect personal information. The key requirement of GDPR that's stipulated very clearly is that all data must be encrypted at all times. POPI, on the other hand, doesn't specify that data must be encrypted, only that it must be protected. De Menezes says, "Data is typically encrypted at source and destination, but is unencrypted in flight. Should someone hack your network, they can catch your data while it's in transit and therefore not encrypted. That's when your data is most at risk of breach."
One of the challenges that businesses face is how to encrypt data in flight, from end to end, and still be able to do analytics with the encrypted data. However, it is now possible to encrypt data at a granular level and still be able to run analytics on it, says De Menezes. The ability to interrogate encrypted data is a game-changer and represents a new evolution in the data cycle, he says.
"However, it's also vital to control who has access to that data as that's where some of the biggest breaches occur. It's no use encrypting your data if the wrong people have access to it. Too many organisations have poor basic security controls around access. Normal passwords are no longer sufficient. Businesses need to step up their authentication and go beyond introducing a second factor such as a one-time-PIN and implement multi-factor authentication to increase levels of security around the encrypted data. ‘Good-enough' measures just won't do."
Another requirement of GDPR is that every business have a data protection officer, who will be responsible for implementing all of the requirements of the legislation. De Menezes says, "While POPI enforcement will depend on the region and legislation, and the onus is on businesses to report data breaches, the EU will drive absolute GDPR compliance and proactively notify (and take measures against) businesses that aren't compliant."
Too many companies just aren't taking data protection seriously enough and are adopting a wait-and-see attitude. When the first company has been fined, then other businesses will take heed and only then start their compliance journey, says De Menezes.
Where is the CISO?
Van der Pluym says that when you consider the massive potential consequences for the business of insufficient data security, the Chief Information Security Officer (CISO) should have a seat on the board. Both the threat of reputational and financial damage are board-level prerogatives, as is the fact that the business can be exposed to breach of contract claims. Security is fast becoming one of the most important functions in large corporates, yet it is all too often an afterthought. Security through obscurity is no longer sufficient. It needs to be embedded in the IT architecture from end to end, a fundamental thread that flows across the business."
The role of the CISO is growing in importance, having a CIO is no longer sufficient. She elaborates: "The CIO is charged with keeping the lights on. That's their main priority. Whereas the CISO role is to understand the business and legal implications of IT security – or lack thereof – within the business."
She cites the example of the two major Yahoo breaches earlier this year. "They didn't immediately disclose the data breaches to all affected parties. At the time, Yahoo was in discussions to sell the business to Verizon. Because of the way that the data breaches were (or weren't) handled, the business was sold for $350 million less than the initial asking price. The potential impact of a massive data breach on the board and shareholders is very real."
It's clear that GDPR has a far bigger reaching impact globally on businesses than any previous laws that have governed the protection of information – and goes far beyond the scope of POPI, says De Menezes. "If you're GDPR compliant, then you're POPI compliant. There's a definite lack of understanding and awareness in South African companies around the limitations and liabilities that GDPR will bring."