Insights

from our leaders

You are Accountable for Protecting Client Data

You are Accountable for Protecting Client Data
Published: 14 June 2018

 “When the so-called ‘misuse’ of Facebook data by British political consulting firm Cambridge Analytica came to light in March 2018, South Africans were still reeling from the ‘deeds office’ leak that affected 60-million citizens, both dead and alive, in October 2017. The real effects, however, are possibly still not known.”

So, says Wayne Borcher, COO of data specialist SSA, noting that the closing of Cambridge Analytica’s doors as well as the cost to Facebook shareholders was “a drop in the ocean” of harm that was caused by an apparent lack of security or watchdogs in both cases.

“We know from previous data breaches that the ripples can spread for years,” he says. “We know, too, that every time a developer builds a smarter security solution, a smarter hacker may see it as a challenge. Of utmost importance, then, is starting off your digital journey with a governance team that understands just how vital it is to ensure data security and the mitigation of the fallout from breaches.”

With vast experience in the field of data and its need for the highest security measures possible, Borcher says a blueprint that includes setting up a trusted governance team accountable for all aspects of data hygiene, security and ongoing maintenance, which includes alerts to suspicious incidents, is imperative.

“The real damage from leaks and breaches is time,” he says. “A recent report by cyber attack prevention specialists FireEye Inc shows that the time it takes between the data being breached and the discovery of that breach is around 146 days on average globally - but a massive 469 days for the EMEA region.

“This means your customer’s names, ID numbers, telephone and address details are out there for someone else to snap up and possibly sell or use for their own gain. They’re vulnerable and your reputation is, at best, tenuous.”

 

Data breaches and protective regulation

All reports indicate that cyber attacks and data breaches are expected to grow globally year on year, and data governance teams will be required to answer for any non-compliance with the Protection of Personal Information (PoPI) Act in South Africa and the recently-implemented General Data Protection Regulation (GDPR) that replaced the EU’s 1995 Data Protection Directive.

“What SSA is suggesting to all clients is that they ensure their governance teams are ready for the full implementation of PoPI and for GDPR, whether they are doing business in the EU or not right now.” Borcher believes that, just as the medical industry has its “Universal Precautions” to help mitigate the spread of disease by assuming the worst-case scenario and treating every disease as contagious, the data industry should be taking the highest level of precautions possible now.

“Waiting until a threat appears and backtracking on your digital path to fix it just doesn’t make sense,” he says. “We know what has happened and we’ve been warned about what is coming. Your digital journey should start with the assumption that there will be threats and possibly even breaches, and your obligation to your customers is to ensure their cyber safety as much as possible.”

According to Borcher, the GDPR gives individuals the authority to compel organisations to reveal or delete any personal data they hold. “Failure to follow the rules will result in costly penalties and even the same fate as Cambridge Analytica.”

To comply with the new laws on personal data protection within a company, SSA suggests the following:

  • Make sure your data governance team is well-versed in all compliance requirements, and that data that is irrelevant to your business is securely disposed of
  • Governance must include accountability for potential leaks or breaches, and the mitigation of both in the shortest time possible
  • Using trusted, secure internet is only a start
  • Blockchain technology may be used to authenticate devices and users
  • If no single individual or group has unlimited access to all data, your chances of an “insider” leaking data are minimised
  • The data governance team must be constantly updated on global data breaches; new ways to reduce incidents of cybercrime; and new Acts and laws that affect data privacy

 

Built-in assurance for your customers

“At SSA, we walk our clients through the path to digitisation because we are aware this is usually not their core business. We start with the blueprint, where we determine not only who forms part of the governance team, but what authority each person has, including access to parts or all the data.

“Then we map out how to ensure the use of the most robust security software and processes to alert governance teams and security personnel to a potential breach as quickly as possible; and have breach mitigation plans and security experts ready to take action.”

From the blueprint phase, Borcher warns that the governance team must ensure compliance with both GDPR and PoPI and make certain that customer consent is explicit and not by default or “opt out”. “Consumers have the right to take action against companies that do not ask them to ‘opt-in’ to communications and other activities, and organisations may have to prove that they were given full consent,” Borcher says, adding that encrypting personally sensitive data is part of what can be mapped into the blueprint.

“The sheer number of data issues that must be dealt with keeps growing, and your responsibility to customers’ cyber safety grows with them,” Borcher states. “At SSA, our business is to walk you through every aspect of the digital journey and make sure that your organisation is legally compliant, as secure as possible, and ready to take on the opportunities that digitalisation brings.”