Although companies process more data than before, data hoarding – gathering data without a clear business reason or security strategy to protect the underlying information – exposes them to Protection of Personal Information (PoPI) Act, No 4 of 2013 penalties, as well as associated business risks.
When PoPI comes into effect, data hoarding will be illegal in South Africa because it requires that data may only be processed for as long as there are clear and defined business purposes to do so, says advisory firm Grant Thornton Johannesburg information technology (IT) advisory director Michiel Jonker.
Technology news website Mybroadband last month announced the discovery of serious security vulnerabilities, which subsequently led to data leakages by the Web application of financial services firm FNB, as the online card-tracking facility exposed customers’ personal details. Urban rail Gautrain’s gold card holder details were also exposed during the same week.
“All security breaches will have to be reported directly to the data subjects that have been impacted on and to the Regulator.
“Businesses need to consider whether these security incidents are as a result of data hoarding issues or operational oversight, especially with the new PoPI legislation and its strict guidelines looming,” emphasises Jonker.
Security incidents can be very damaging to a company’s strategy and reputation in the marketplace, as well as its competitive edge.
Companies have been processing and analysing more data pertaining to their industry or to existing and potential clients. However, there is a very fine line between using effective business analytics tools to mine data and data hoarding with no purpose or strategy regarding the security consequences of this information, he notes.
“The new Act provides an almost certain guarantee that more companies will end up with egg on their faces very soon, aside from businesses also having to appear in court to face criminal charges and civil claims,” Jonker warns.
While business and IT strategies should not be formalised purely on compliance requirements, such as the pending PoPI legislation, businesses must consider security best practices to achieve a proper balance between availability and security principles.