Recently South Africa passed new legislation, whereby companies are accountable to provide governance over the protection of personal information; both company and employee related. This legislation is known as the Protection of Personal Information Act, POPI or PPI.
The PPI (Protection of Personal Information) Act, refers to the Data Life Cycle, providing rules and guidance for the following “states” of information within the information life cycle:
- Collection or creating data
- Processing, Marketing & Cross Border Transfers
- Purpose Specification
- Further Processing
- Retention requirements
- Destruction or Archiving
With the increasing growth and expansion of technology in our world today, many boundaries are being broken down and distance becomes irrelevant in the world of data and information systems.
The cyber highways contain a wealth of information that travels round the globe in an instant. Current news articles are read digitally seconds after they are published and this form of information or content is part of our daily lives.
Today email on a smartphone or tablet is a “must have” in both your personal and professional lives. Employee’s can now be empowered to submit leave requests, claim expenses or access internal systems while on the move or while sitting at the airport waiting to catch a business flight. But how is all this information governed?
The problem with such vast amounts of information scattered around leads to the question: “How do I ensure that my company and personal information is adequately safeguarded?”.
With the advent of mobile devices; laptops, smartphones and tablets, providing this information any where, any time, has a significant impact on personal information governance.
From an enterprise mobility perspective, the picture looks like a piece of Swiss cheese, full of holes. These mobile devices pose great risk in this information marathon to become PPI compliant. In the event of an information “breach” companies must be confident in answering the following question: “What was done to protect this personal information?”.
To ensure that this question is sufficiently answered, companies must develop and implement a mobility strategy, mobile device policy and personal information governance policy for all staff members to adhere to when mobile devices are used to expand the “borders of the office”.
With stringent, well thought out and planned mobility secure policies in place, an enterprise platform can be established which allows a company to enforce the protection of its data and that of its employees too.
As part of a mobile secure strategy the following mobility areas are focused on to provide broader coverage of mobile protection:
- MDM – Mobile Device Management
- MAM – Mobile Application Management
- MCM – Mobile Content Management
- TEM – Mobile Communication Management
One glove does not fit all!
Unfortunately due to the nature and complexity of the Protection of Personal Information Act (PPI), implementation in becoming compliant will entail analysis of the company’s data, purpose of data and business processes to allow the building of a bullet proof solution. The out-of-the-box, drop and go solution will not be sufficient to ensure compliance.
In conclusion, for companies to comply with privacy requirements aligned to Protection of Personal Information legislation, companies need to ensure the security, transmission and storage of personal data, together with a clear defined mobile strategy, mobile user policies and the implementation of reliable and proven technology to ensure the management and protection of data in the enterprise.
Deloitte Consulting has the experience in mobile secure methodology together with risk advisory services to provide a single source and advantage point for mobile data privacy governance.