[South Africa] It's time to act on Protection of Personal Information Act, says Xperien CEO, Wale Arewa
The uncontrolled data growth urgently requires new corporate policies for data storage and retention. The information regulator is pushing for the remaining provisions of the Protection of Personal Information Act (POPIA) to be finalised and come into effect by 1 April 2020.
The chairperson of the Information Regulator, Advocate Pansy Tlakula, has already sent a request to President Cyril Ramaphosa to bring the outstanding aspects of the POPIA Act into effect. After the commencement date, companies will have 12 months to get their systems and processes in place to comply with the Act for the processing and storing of personal information.
Xperien CEO Wale Arewa says it’s time to act. “The POPIA Act will ensure that companies are responsible when collecting, processing, storing and sharing personal information and once the Act is effective, they will be held accountable. The penalties will be harsh, lack of compliance will lead to fines of up to R10 million and a jail sentence of up to 10 years.”
“Disposing of old computer equipment used to be a mindless process, but those methods of the past are no longer an option with the introduction of new laws and regulations. “The days of piling it up in storage or simply selling it off to staff or second-hand retailers or even dumping it in a landfill, are over,” he explains.
New corporate policies for data storage will be required, especially with heaps of hard drives and Solid-State Drives lying around storage rooms and data centres. Most of these drives contain sensitive data which needs to be protected or permanently removed - or it could be put the company at risk.
More importantly, data at end-of-life is a massive challenge for most businesses, big and small. It is often assumed that once data has been marked for disposal, it no longer requires much attention. It is essential for data security and the protection of personal, proprietary and confidential information that data is permanently destroyed, deleted or erased from devices.
Arewa says simply deleting the data or running a magnet over the old hard drives in an attempt to erase data is not sufficient. “Even using the old hard drives for target practice or drilling holes in them will not satisfy the prescriptions of the PoPI Act and nor does a factory reset.”
Xperien has a track record in the refurbishment and disposal of old computer equipment in a way that is fully compliant with the PoPI Act. The safe erasure of data is carried out using specialised tools like Blancco, which is recommended by IT consulting firm Gartner as one of the most suitable tools for this purpose.
This is done either on site or removed under strictly supervised and secure conditions for off-site handling. Once the data is safely erased, the client company is issued with a PoPI-compliant certificate.
Arewa says lessons could be learnt through GDPR compliance that can later be applied to POPI compliance. “It might make sense to have one compliance project that covers all bases, POPI and the GDPR alike.”
“Whether businesses plan to do thus in-house or through professional IT Asset Disposal (ITAD) provider, it needs to be done rather sooner than later,” he concludes.