CIARAN RYAN: The Protection of Personal Information (Popi) Act has ushered in a new era for companies and the way they accumulate and use personal information. This has been driven home in no uncertain terms as a result of several well-publicised security breaches where the data of millions of South Africans was compromised. I’m Ciaran Ryan from Moneyweb and to discuss this I’m joined by Colin Erasmus, Modern Workplace Business Group Lead at Microsoft South Africa. Welcome, Colin.
First of all, could you tell us a little bit about this issue of the Popi Act, the Protection of Personal Information Act? What has led to a heightened focus on information protection and compliance?
COLIN ERASMUS: Hi Ciaran, and thank you very much. Yes, I think the intro was great, and you hit the nail on the head. But maybe, to your point, let’s just have a look at why, and why we’re in the situation that we are.
Technology really has profoundly impacted our lives in so many ways, and I think everybody would agree with that – from the way we learn, the way we work today, the way we play in many aspects, the way we interpret the world and interpret data, and everything coming at us. In this specifically, coupled together with the sophisticated breaches that we’re seeing and the cyber attacks, I think one of the key points is that the cyber-attacks that we’re seeing today have become exceptionally personal and exceptionally targeted. That’s also the reason why we’ve got to guard against personal information in such a very specific way.
And then the one fact that I would use here is that the IDC [International Data Corporation] estimates that by 2025 we’re going to see 10 times the amount of data being created or replicated than we saw in 2016. And that all coupled together really does heighten the way we need to look at information protection.
And the last thing I will say in that intro, Ciaran, is the fact that in the past when we were dealing with data, we were really dealing with things like maybe emails and maybe files. Today there’s so much more that an organisation collects – and not just an organisation. We collect these things generically, but we’re now connecting messages, text messages, remote work has actually led us to having video conferencing now, so we now have recordings of meetings, images, video files – not to mention IoT [the Internet of Things]. Throw IoT into that mix and you can understand that the amount of data that we now have [that] is stored everywhere – in the cloud, on personal computers, on premises – really has exploded.
I really think that is the premise, why things are so heightened at the moment, and why we need to look at information protection so carefully.
CIARAN RYAN: You mentioned the explosion of data. And, of course, as you get more and more data accumulated about clients and about people and staff in general, you’re developing a much more sophisticated and detailed profile of people in itself. If there are security breaches, that then poses even greater risk, does it not? So what would you say are some of the challenges that organisations have to face when it comes to protecting information?
COLIN ERASMUS: I think maybe, Ciaran, just to go back a step before I answer that question specifically, we need to look at what Popi set out to do; it really is there to regulate how organisations are generating, storing, managing, using and processing our data. I think that’s important to understand. And then to look at the challenges themselves that you just spoke about now – I think you spoke about where all this data lies in the data state.
I think one of the first challenges is to understand what data you have, and where that data is, how it travels, where it lies….
And in fact some of the stats that we’ve seen out of some of the research that we’ve done is that 88% of organisations today don’t believe, or are not confident, that they have sufficient information to detect and prevent loss of sensitive data. I think that’s one of the first major challenges that organisations sit with today.
I think the second major challenge when we talk about data protection is that a lot of it is actually about classifying our data and knowing what data we have – that’s the next biggest thing.
And to get back to some stats, it’s always interesting when looking at these things, that the research tells us that more than 80% of customers or corporates today actually have Dark Data. What do I mean by that? The data that they have is not classified, we don’t know how to protect it, and it is ungoverned. So that’s the other thing.
And then the last thing I’d like to touch on very specifically is regulatory compliance. If you speak to many organisations today, they really believe this is going to be the major downfall – not knowing where their data is and how to protect the data – that is actually going to lead to a regulatory or potential regulatory downfall. I do believe that those are just some of the challenges that organisations are facing today.
CIARAN RYAN: Yes. So, speaking of regulations, Colin, one gets the sense that larger companies are a little bit more on top of the Popi Act than medium-sized and small-sized companies. Would you agree with that assessment? And what are the implications of Popi on South African businesses in general?
COLIN ERASMUS: Ciaran, yes, I think that is well spotted and we are seeing that some large organisations are a little bit more prepared. The one thing that I will mention is that there are some other regulations that have been around for a while, specifically an ISO regulation, called ISO 27001, which really does speak to some of the regulatory needs around the protection of information, and a lot of large organisations have been looking at this for quite some time. So we do find that in large organisations we need to marry what the legal people are doing inside those companies with what our IT guys are doing. And you’ll actually find that most would be quite close to being compliant in many instances.
And we also find, Ciaran, that some industries are potentially better prepared than others, just purely by the nature of what they do and the information they collect. A really good example for us would be the financial services industry as a potential example. And maybe to answer the back end of that question, this Popi has been around for quite some time, it’s not really anything new. But I think the newness of it is the fact that the president actually promulgated this thing on July 1, 2020, and when he did, he actually gave 12 months’ grace for organisations to get compliant. Well, we are three months into that, so there are nine months left.
I would actually suggest a lot of organisations start looking at this, start understanding what their compliance looks like across the organisation. And after the nine months are up, by July next year, the regulator will start looking at the compliance against this regulation very specifically.
CIARAN RYAN: Now let’s get down to the million-dollar question here. What strategy and solutions are out there to help organisations?
COLIN ERASMUS: I think there are a couple, and there are a couple of questions that I would like to pose, and that I think organisations should be proposing to themselves internally.
The first one is – and we’ve spoken a little bit about this already – around understanding where your critical and sensitive data resides inside your organisation and not only where it resides, what it’s being used for and where it’s going. I think that is absolutely critical. I think it’s critical to prepare to understand the classification of your data. You can use whatever you want to, you can have “confidential”, “highly confidential”, “public” – this is really up to you as an organisation. There are some good best practices out there already.
Then the second one is to really ask [about] the travelling and the control – where does that data travel, who is using it, and what controls do you have over it.
And then the last one that I’d like people to think about is the governance. I’ve said many times I quite like the phrase that:
“…in any security or compliance strategy, people, process and technology is critically important. All three of those are very, very important.”
The other thing to look at, Ciaran, is insider risk management. Do you know where their data is going? If people are copying stuff off the SharePoint site, or whatever they’re doing and putting it onto a memory stick, where’s that data going? Was it classified information? There are toolsets available today that actually allows you to monitor these sorts of things.
So ultimately, if I think about it, this comes down to three things. The three things for me are knowing your data, protecting your data, and governing your data. And those are sort of the three things I would leave maybe with you today.
CIARAN RYAN: All right. So just as a final wrap-up there, you would say that companies are not quite there yet in terms of the Popi Act. They’ve got nine months to go, but there’s a lot that they’ve got to confront in their own organisations in order to become compliant.
COLIN ERASMUS: I think there’s still some work to do. I think there are some very good guidelines out there. But, yes, I think there’s still some work for all of us to do.
CIARAN RYAN: Very good. Let’s leave it at that. That was Colin Erasmus, Modern Work Business Group Lead at Microsoft South Africa. Thank you for coming on, Colin.
COLIN ERASMUS: Ciaran, thank you very much.
Brought to you by Microsoft South Africa.