Your data is your business’ lifeline. No business can operate in this day and age without taking serious measures to protect their data. And, in recent years, the storage and management of data has become more than simply an internal discussion between a company’s CEOs and IT team. With legislation like the EU’s GDPR and South Africa’s POPI Act, the way that you store your clients’ and employees’ personal information is now being regulated by the government as well. That’s what makes doing a POPI compliance audit so essential for any business.
While the Protection Of Personal Information Act 4 of 2013 has long been in the works, it officially came into effect on 01 July, 2020. Businesses have been given a year to comply, so by 01 July, 2021, you need to make sure that your business is safely and securely storing any personal data that you need to operate.
Becoming compliant can seem like a mammoth task. Many companies don’t have systems in place to keep track of their data. Even those that do may be storing the information in multiple ways, or storing unnecessary information without realising it. There are so many bits and pieces to the process that it can be easy to lose track. But, rest assured. We are here to help you ever step of the way with our series of POPI blogs to see you becoming compliant.
Let’s start at the very beginning…
Before you start making sweeping changes to the way that your business manages data, there are three questions that you need to ask yourself:
- What data are you keeping?
Both the POPI Act and GDPR are very specific about the kinds of information you can store about your customers. Storing unnecessary information just for the sake of having it is not permitted, and if you are found to be in possession, for example, of personal details for clients who have asked to be removed from your systems, the penalties are going to be steep.
- How is it being used?
Many companies store data with the intention of using it in future. You may, for example, be storing previous customers’ details with the intention of contacting them later to see if they are interested in any of your new products. But the fact of the matter is that under GDPR, you can’t store data without using it. At least, not indefinitely. You either need to have a plan in place for making use off the data, or already be using it. Otherwise, it’s better to cut your ties and let your previous customers give you their data again when they are ready to.
- Who has access to your data and why?
Personal data should only be accessible to those who need to use it. You cannot provide blanket access to personal data across your company, as this puts it at unnecessary risk. Your support staff don’t need to know your clients’ personal details, for example. The main teams that are going to make use of personal details would be customer service, sales and marketing. Make sure that you’re giving access to the right people, but that you keep personal details as private as possible.
This may sound like a complicated process, but it doesn’t have to be. This is precisely what POPI compliance audit is for. Performing an IT, GDPR compliance or POPI compliance audit can help you keep track of your data, and the users and programs that have access to it. And you don’t have to do an audit all on your own – IT companies like Solid Systems have decades of experience in performing audits for companies and making sure that their data is securely stored.
What is a POPI Compliance Audit?
Whether you are performing an IT audit, GDPR audit, or POPI compliance audit, you are basically trying to answer those same three questions that we mentioned earlier. What data is being stored, how is it used, and who is it used by?
To help you answer these questions, there are three principles behind any good POPI compliance audit:
- Know Your Data
Understanding what information you are storing is essential for ensuring that it is correctly stored. This should be step one on any company’s POPI Act checklist, as it will help you stay compliant. What you store is as important as how you store it, after all.
Performing a POPI compliance audit will help you gain a true understanding of the information you have, and what is needed for you to maintain that data according to the POPI act.
- Protect Your Data
Ensuring that the personal data your company keeps is safe from unwanted, prying eyes, like those of cybercriminals, is more than essential. If it’s not done, it could see you incurring penalties that go beyond simply fines. It could see you getting jail time, or see your business’ reputation being destroyed once your customers find out that your data isn’t safely stored.
No system is ever risk-free. Cybercrime is constantly evolving. But when you perform a POPI compliance audit, you are taking steps to ensure that you’re as covered as possible. That way, if disaster does strike, you will be well prepared, and there’s little risk that your clients’ personal data will be affected.
- Govern Your Data
As we just mentioned, cybercriminals are constantly finding new ways to infiltrate your systems and compromise your data. Your data may become vulnerable at some point. This is why performing a POPI compliance audit shouldn’t only be a one-time exercise. You should tick this off your POPI Act checklist at least once a year.
Thankfully, you don’t have to do it alone – remember that companies like Solid Systems are here to help you monitor your sensitive data ad ensure that any suspicious activity is dealt with quickly and effectively.
This will also help you to make sure that you aren’t keeping any unnecessary personal data. Remember – this not only goes against POPI and GDPR compliance, but it also adds unnecessary risk to your company. Once again, if your data isn’t being used, there’s no reason to keep it. It’s not worth the risk.
Performing a POPI compliance audit won’t be the be-all and end-all of your POPI journey, but understanding your data is the perfect place to start. And you don’t have to go it alone. Solid Systems is here to help you tick all those boxes on your POPI Act compliance checklist. Even if you don’t choose to use any of our other services, we are here to help you get your company ready for the personal data changes to come. Our audits are stand-alone services that we provide, and an essential one for any business to truly understand their data.
Contact us today to book your IT audit and assessment.