HOW IMPORTANT IS DATA MANAGEMENT FOR POPI COMPLIANCE
It will be very difficult, and some would say impossible to achieve compliance to the POPI Act, without Data Management and Data Governance. It is a bold statement but it is borne out by any in-depth examination of the tasks necessary to achieve compliance. Consider the following implications:
In the case of a Data Breach where personal data was involved, both the regulatory body and the impacted individuals must be informed in a timely manner of the breach being discovered. This notification must take into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. It must further provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. The specifics are set out in section 22 of the Act .The Information Officer must now in a timely fashion guide the team to rapidly track down which systems (paper or electronic) databases or computers or any other personal device were exposed. During this investigation the team will place reliance the ITfunction, and/or manual systems to produce the required detail.
Unless the organisation has mapped out which PII (personal identifiable information) is inside those systems and know where (or whether!) they’re encrypted or masked, it will be facing major challenges when making reports to the regulator and informing customers, employees or marketing targets that their data has been exposed. Doing this “on the fly” after a breach would be difficult without a “map” of where personal data (and which personal data type!) lies within the aforementioned systems, databases, laptops, cabinets or other filing systems.The task will become even more cumbersome where duplicate data is stored and processes, without a “index” of what is stored and processed where.
It is also interesting to note that in the European Union the new GDPR (General Data Protection Regulation, replacing the 195/96 Data Directive in May 2018) a new principle is introduces which allows the data subject/citizen to invoke their “right to be forgotten” from an organization’s data stores.
There is a substantial similarity between this principle and section 5 in the POPI Act dealing with ”the rights of the data subject”, as well as section 24, “ correction of personal information”. In short, the data subject may under certain circumstances exercise their right to withdraw consent for processing and request the destruction or deletion of personal information.
Even if the organisation has mapped out where personal data lies within the organization, it will still need to find that one individual that made the request and with a high degree of certainty verify that the data they have found is related to the particular data subject. Again a thorough pre-understanding, mapping, recording (and subsequent governance) of the PII will definitely be necessary for compliance to these requirements.
When considering all eight conditions of the Act it is clear that for the majority of them, “total control” over the data is a prerequisite for successful compliance. It would be difficult to proof that every set of PII is only processed to satisfy a specific, explicitly defined purpose (condition 3) is adequate, relevant and not excessive (condition 2) without good data management and data governance.
In conclusion it is advisable for organisations, that as part of their pre –compliance preparation, to establish a comprehensive and reliable “map” of all PII collected and processed as well as managing the processing lifecycle of the data by the appropriate governance structures.