With the introduction of the Protection of Personal Information Act (PoPIA) in South Africa in April this year, local businesses are now legally required to ensure that all client, supplier and employee information is stored, processed and destroyed in a manner that upholds privacy and protection of personal data.
Data protection and information management are increasingly under the global microscope as significant breaches have dominated the headlines in recent times. Dating website Ashely Madison, Ster-Kinekor and the Panama Papers are just three prominent intercontinental examples, while only late last year, more than 60 million South Africans were left vulnerable as their personal information, including ID numbers, were unlawfully accessed and leaked from a real estate holding company server.
Cybercrime is on the increase (up 63% in the UK alone) and the associated cost of these damages is predicted to reach $6 trillion annually by 2021. What’s more, business cybercrime is expected to grow exponentially and become the greatest threat to every company worldwide.
The responsibility of ensuring that personal information is safeguarded against being leaked falls squarely on the shoulders of the companies that obtain it. While PoPIA aims to ensure compliance when dealing with personal information, and holds unethical entities accountable for abuse, it cannot protect data from being leaked.
Personal data that is protected by PoPIA consists of personal contact information (address, telephone numbers, email and so on), demographic information (such as ID number, date of birth, age and ethnicity), private correspondence (conversations between a representative and a client), and biometric information (blood type, finger prints and medical history).
Data protection risks are faced by all industries, but financial institutions and medical and insurance companies face the greatest threat due to the volumes of personal client information they collect.
Non-compliance and resultant data breaches can lead to lawsuits and penalties, including R10 million fines and up to ten years’ jail time. Businesses need to guard against this liability and securely store and manage essential company records. Partnering with an information and records management specialist can help implement secure information and backup solutions, but they need to be compliant with record keeping regulations and have the necessary security measures in place.
Apart from cybercrime, inefficient disposal of documentation opens businesses up to further threat, legal ramifications and financial losses. Businesses that compromise on responsible document disposal could be handing seemingly invaluable personal information over to fraudsters, who may use this data to steal identities, bid the details off on the dark web, falsely apply for credit, and/or pass intellectual property and trade secrets onto competitors.
South African businesses are legally obliged to keep company records securely in their system for up to seven years. These records include AGM reports, annual financial statements, accounting records, notices, minutes and resolutions of all shareholder meetings, plus any information made available by the company to the holders of the securities in relation to such resolutions.
When documents are no longer relevant or required, it’s best to destroy them responsibly, and the most effective way of ensuring that information cannot be retrieved, reconstructed and repurposed [so to speak], is to shred them.
Digital transformation is the way of the future, but it comes with many risks. Data protection and information management requires strategic and risk oversight to remain compliant and future-proof businesses against new age challenges.
Wayne Clarke is managing director of Metrofile Records and Information Management South Africa.