PoPI and the Issue of Privacy: An Opportunity to Create Competitive Advantage
By Professor David Taylor, Data Privacy Officer at T-Systems in South Africa
The recently enacted Protection of Personal Information (PoPI) Act, which sets conditions for how organisations can process information, has caused significant upheaval in the South African business environment.
Companies are either panicking about how to comply, or conversely opting to pay the fines for non-compliance as they see this as a less onerous option.
However, privacy of information is not a new issue, either locally or internationally. In Europe, information privacy has been a concern since the 1970s, and many countries have stringent laws in place. In South Africa, Section 14 of the Constitution protects the right of privacy of citizens, which PoPI enforces, and the law itself has been in the making for almost a decade.
While PoPI compliance is typically seen as a grudge task, it can in fact be regarded as more than good governance, particularly for cloud service providers. Privacy of personal information can be used as a driver of competitive advantage in an environment where differentiation is difficult, positioning them favourably to retain and secure new business.
Cloud services have seen a rapid uptake in the local market in recent years, driven by increased availability and affordability of bandwidth. However, in light of the introduction of PoPI, organisations need to take additional cognisance of the abilities of their service providers.
Even if an organisation adheres to legislation with the highest standards, policies and procedures in place, relationships with service providers can introduce an element of risk.
The onus is on the company itself to ensure that their data and their customers’ information is protected, regardless of the outsourcing of services, as they will be held liable should information be breached.
In essence, PoPI is a set of conditions regarding how organisations process and store the personal information of their clients, customers and employees. These conditions include what information may be processed, under what circumstances it can be processed, for how long it may be stored, how information must be maintained, how and when it must be defensibly deleted and who is allowed to have access to it.
This includes all information that resides with an outside service provider, such as is the case with the cloud. Ensuring cloud service providers adhere to PoPI as well as international privacy legislation is therefore essential.
For cloud service providers, the ability to guarantee privacy and compliance with such legalities can be leveraged as a differentiator and a driver of competitive advantage. Personal information is highly valued by customers, and organisations that can assure customers that their information is protected will attract more customers.
This trend has already emerged in Europe, and multinational enterprises with a local presence, as well as South African financial institutions are leading the way locally.
PoPI compliance requires organisations to put into place certain legal, organisational and technical measures. However, every organisation is unique, and ensuring PoPI compliance is not a ‘one size fits all’ process.
Enterprises must analyse their industry and application laws and regulations governing them in order to identify these requirements on a more granular level. Technology particularly depends entirely on the size and nature of the business, however this aspect is essential as Sections 17 to 22 of the PoPI Act require appropriate security measures to be implemented.
Leveraging privacy and PoPI compliance as a driver of competitive advantage requires that all loopholes be closed, and that service providers take into account international legislation as well as local laws. In order to achieve this, they must first be identified, which requires evaluation across three categories.
Organisational matters such as the ability to respond to a breach and adequately trained support staff must then be addressed. In addition, physical security is essential in all aspects, from data security to shredding paper-based documents.
Once these areas have been addressed, customer trust can be developed and nurtured. Trust is the basis of loyalty, which is essential for retaining and attracting customers. Compliance with PoPI is not necessarily the onerous and costly task it at first seems to be.
While it may require a certain amount of effort, the benefits have the potential to outweigh this. In a sector like cloud computing, where the technology and service offerings are highly uniform, trust becomes the ultimate differentiator and point of competitive advantage.
Pure Storage: supporting the digital transformation journey
Pure Storage helps clients drive their competitive advantage by enabling data to deliver positive business outcomes such as evidence-based decision making using real-time analytics. “Working with the British Army, as part of an ecosystem of best in class solutions suppliers, Pure is providing private cloud services on-premise but also has offerings via AWS and Azure, and at container level,” explains Colin Atkinson Pure’s UK Public Sector Account Director.
“Pure Storage is supporting the digitalisation of the army as part of Programme THEIA,” reveals Colonel Mark Cornell, Assistant Head of Army Digital Services. “THEIA is how we change our ways of working to adopt more efficient digital processes. Technology is actually the easy piece of the puzzle; the challenge is cultural and behavioral change”. The army is a conservative organisation by nature, so how do we get its people - civilian, military, and contractors - to adopt the appropriate ways of working we want to deploy?
“We move away from labour intensive processes, and move further up the value chain to get the human adding value where they should be in the decision-making process.”
We’re in the midst of a data revolution highlights Atkinson. “We’re seeing an exponential growth in data analytics, which can create huge headaches for large organisations, or it can create massive opportunities. Data will be the oil that fuels this revolution….”
It’s a revolution that’s been gathering pace; each year, since 2016, 90% of the world’s data has been created in the previous two years. Atkinson also points out that 99.5% of historical data goes largely unanalyzed: “The corollary for large organisations is that if you don’t have a data strategy, you could end up with very large, very cold data silos and miss the opportunity to create that competitive advantage. By partnering with Pure we can help clients develop a data-enabling strategy.”.”
“We’re going to see a far greater use of data analytics in the British Army and across organisations in general,” forecasts Cornell. “We’re aiming for level three and level four predictive and prescriptive analytics approaches that start using Machine Learning and AI to give us deeper insights from our data. And as we move forward with Programme THEIA we see ourselves migrating our workloads and data into the cloud, making the use of the elasticity of hyperscale clouds. But also, protecting our data in the appropriate way if we wish to keep it on-prem and use it, and secure it in that way. We’re part of that cloud revolution that's going on through defense, but also across the wider public sector.”