Protecting your databases from external threats is one thing, but the starting point of it can be found in the responsible processing of personal information.
The manner in which you collect and process information can effectively minimise the risks to your customers. By acquiring information smartly, one could limit the impact of a security breach because information that is orderly collected, minimal in volume and kept up to date is easier to monitor and protect.
Three things will contribute greatly to the responsible processing of information in your business
1. Appoint a leader
Put somebody in charge. You need a leader that can shoulder the responsibility of processing and protecting data within your organisation. A genuine leader will be the catalyst to your successful compliance protocols. Most companies will opt to appoint the CEO or MD, as an Information Officer (as required by the PoPI Act) due to their proven leadership qualities. This Information Officer may appoint a compliance officer, who executes the company’s compliance protocols, but the executive must lead the way in promoting company-wide adoption of the policies and will be held responsible by law for the protection of personal information.
2. Only gather the information you need
Otherwise known as processing limitation, your employees need to acquire information directly from and with consent from the data subject (your customer or leads). You need to acquire the information that is strictly required for your services and nothing else, while you need to specify exactly what it will be used for. And, should the data subject request that you remove their information from your data banks, it is your responsibility to ensure that it is deleted.
It is also important in the processing limitation process to take data privacy training and awareness into account while looking to appoint employees that are trustworthy and to provide training where necessary. This means that you need to employ an additional layer of strict screening processes for new and current employees.
Risks related to employees
There is always a risk that employees may sell information. Besides the damage of such a data breach, your organisation or, specifically, the Information Officer will also be held responsible for the malicious intent of that individual employee. Human error is another major cause of data breaches. This includes the mishandling of information, such as employees leaving sheets of paper containing personal information lying around. All of these instances should be addressed during training.
Purpose of data
You need to be able to explain the need for every single piece of information you process and to be clear what you will do with it. It is your company’s job to explain to the data subject exactly what their information will be used for and to attain their permission to gather this data for the specifically designed purpose. Using it for another purpose requires additional consent from the data subject. In other words, you cannot, for example, gather someone’s email address for the purpose of verification, and then also add it to your mailing list unless you acquire consent for that as well.
And to further protect your customers’ data, access to data silos must be limited only to the employees that require it. If an employee’s specific purpose within your organisation is not directly linked to specific data, they should not be able to see or use it. To adequately control access to specific pools of data, you need to create an infrastructure for the life cycle of data, from collection to destruction, that can secure data within your organisation from the employees who it doesn’t concern. After all, you wouldn’t leave a memo from the Board of Directors on an intern’s desk, would you?
Negligence by anybody in the organisation is, under the law, considered to be negligence by the appointed Information Officer or organisation leader. This layer of accountability, resting on their shoulders, means that, if every “i” is not dotted and every “t” is not crossed, the company’s elected Information Officer could face a hefty fine or prison sentence. This is not a matter of doing weekly check-ups on employees and micromanaging, it is about creating a company culture of due diligence in data collection.
3. Be accurate and open
When acquiring information, proactive measures like acquiring consent must be demonstrable to the Information Officer and the responsible party must take reasonable measures to ensure that the data subject is fully aware that their data has been acquired, what specific information was gathered and the purpose of doing so. This protocol may take the form of a data receipt of some sort similar to the way we provide receipts in financial transactions. You should be treating the exchange of information with the same degree of importance as a financial exchange.
At the same time, the responsible party (i.e. the holder of the personal information) must ensure that the data collected is complete, accurate, not misleading and up to date. Furthermore, the “right to be forgotten” is a right to have personal data deleted, in particular from the Internet. Although the right to be forgotten is not explicitly outlined in the laws, it would coincide with the processing limitation principle and is likely to eventually play a role in compliance, like it does with Europe’s gold standard of data protection regulations, the GDPR. A smart way to approach this may be to set an automatic expiry of data. For example, data is collected and 24 months later will be deleted from the system, or otherwise the data subject is informed and asked for consent to continue to store their data or otherwise asked to take the time to update their information.
A general “rule of thumb”
PoPIA compliance is not as difficult as it seems to be, and if you are able to acquire and process data responsibly with an accountable party leading your organisation with expertise and a thorough understanding of the general principles, there is inevitably a lower risk of falling victim to damaging data breaches. More importantly, by strictly limiting the amount of information you use, your clients are far less likely to suffer significant personal damages from a potential breach. Smaller banks of information are also easier to protect and, if you have trustworthy, knowledgeable employees, you will be shielded from non-compliance.
At the core of the protection of personal information lies the responsibility to treat information as a valuable asset, which it is.
What data to collect?
Unsure about what data you need to collect? Get in touch for ideas on how to pinpoint your needs and access requirements. Our PoPIA team has experience advising clients in various sectors, and can guide you on the best solutions for your circumstances.