By Andrew Whittaker, Practice Lead
The Protection of Personal Information (PoPI) act is about ensuring the personal information of your employees, partners and customers is relevant and managed securely. In essence, you shouldn’t have any information about someone beyond that which you require for your business. Equally, you must take every reasonable measure to secure that information.
For IT companies, this means the access to sensitive information in an organisation needs to be managed on an ongoing basis. It isn’t good enough to do a probe of your environment once a year to check if the access assigned to people is appropriate for their job function. To ensure compliance with the act you must put controls in place to check on a regular basis proving that the access is correctly assigned and monitored.
However, before you implement a solution, you need to understand where sensitive information is kept. Sensitive information is stored in either a structured or unstructured system.
In a structured system – such as customer relationship management (CRM) and enterprise resource planning (ERP) systems – the information is typically found in well-identified locations such as a database, where access is easier to manage. For example, in a CRM system, it is easy to supervise who has permission to see customer-sensitive information.
In an unstructured system – like Microsoft Windows file-share and Sharepoint portals – sensitive information that’s relevant to PoPI is far harder to manage because it is unclear who has access to it, who owns it and what the information is.
Finding a solution for and managing access to structured system is easier, and consists of a three-step process:
- Establish policy that aligns to POPI requirements – In some instances unstructured data has historically been excluded from formal controls
- Identity governance —making sure that you understand the people in the company, and control the identities of who can access the sensitive information. For example, if someone leaves the company, they need their access revoked. Likewise, if someone changes job roles, their access needs to be modified accordingly.
- Access Governance — after having control of identities, you need to start managing and reviewing access on a regular basis.
A solution for an unstructured system is more challenging. You need to locate the sensitive data, using specialised data classification tools that assist in finding information that matches PoPI’s specifications. Once the information has been identified, identity governance and access governance processes can be utilised to secure the information.
Overall, the introduction of PoPI will increase customer confidence in an organisation, because the information being stored will be relevant to the business and be secured. For a long time in IT there has been a tendency to store any and all information possible without thinking about the implications of storing that information, or whether it is actually relevant to the business. One of the key outcomes from PoPI is a cognitive understanding of information, its relevance to business and to clarify what is actually required to secure it.
With a vast majority of our customers, we’ve already seen a sense of urgency to begin complying with PoPI, not just because of the fear of penalties and fines, but because it’s a sensible thing to do. It’s a good way to do business, and something that we should’ve been doing a long time ago.