Compliance & Legalities around business Data Protection in South Africa
Protecting data correctly and effectively is a paramount business continuity imperative. Not only do organizations with ineffective data protection strategies face the immediate costs and productivity interruption of data loss, they leave themselves vulnerable to data theft, unauthorised access to confidential files and are liable for legal penalties and criminal consequences due to failed corporate governance compliance.
Responsibility for protection of data cannot be left as IT’s problem- stewardship and buy-in is required at an executive level to avoid negligence, prevent reputational damage and to implement a solution that addresses areas of vulnerability.
The reality of data mismanagement is increasingly consequential. Failure to address your organization’s risks with urgency only increases exposure and the probability of suffering financial and legal penalties.
Often however, Acts and Reports are long-winded, making them difficult to digest and complicated to drill down to tangible and actionable items. However, without securing your data and ensuring that your data protection covers all the bases- the personal and organizational consequences can be detrimental.
We’ve broken down the main Acts and Reports pertaining to data protection in enterprise environments and placed them in the table above as an easy reference, there are certain guidelines & requirements that all companies must follow:
Data Protection Legal Negligence & Compliance
1.The King III Report states that:
The Board is responsible for risk management (including data risks) and that it is necessary for them to demonstrate that they pro-actively manage these risks as a part of their duty of care
At a minimum, the Board should disclose that there is a documented and tested process in place that will allow the company to continue its critical business processes in the event of a disaster. We do not have a process in place.
It is the executives’ responsibility to take effective data management and protect the company’s data, as the board is liable for negligence in this regard.
Download our White Paper: IT Manager’s Role in Risk and Compliance
Consequences to non-compliance include:
□ Severe reputational damage
□ Legal disputes
□ Financial penalties
□ The appearance of ineffective internal management
2.The Electronic Communications and Transactions Act 25 of 2002 provides:
• Legal recognition to electronic documents and recognises that electronic documents and signatures can serve as the electronic functional equivalent of their paper based counterparts.
Chapter 8, Section 86
“A person who intentionally accesses or intercepts any data without authority or permission to do so is guilty of an offence. This offence is punishable by a fine or imprisonment for up to twelve months.”
“A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective is guilty of an offence and punishable with up to twelve months imprisonment.”
3.Public Finance Management Act (PFMA) – Chapter 5, Section 38 of the PFMA states:
“The accounting officer for a department….. (a)must ensure that that department…..has and maintains— (i) effective, efficient and transparent systems of financial and risk management and internal control.”
“An accounting officer is guilty of an offence and liable on conviction to a fine, or to imprisonment for a period not exceeding five years… if that accounting officer……wilfully or in a grossly negligent way fails to comply with a provision of section 38.
4.Protection of Personal Information Bill (PPI) – Section 3.7 of the PPI states:
According to the bill, organisations must secure personal information in their possession or under their control by taking appropriate and reasonable technical and organisational measures to prevent loss, damage and unauthorised destruction of personal information, as well as unlawful access or processing of such information.
Corporate Governance Compliance Checklist
If you can tick any of these checklist items, you are probably in breach of data protection laws and requirements.
Ineffective data protection is unacceptable in business. In order to address your risks and prevent legal and financial consequences, you need to ensure that you employ a data protection solution that offers you peace of mind data security, prevents any unauthorised access to data and provides a built from the ground up solution to enterprise data protection.
With Cibecs Business Data Protection, Compliance is Simplified.
Cibecs is a built from the ground up enterprise data protection solution focused on providing tangible solutions to business data challenges. With Cibecs, Corporate Governance Compliance and Data Protection Law Compliance, is simple.
- Centrally managed, automated endpoint data backup
- Cibecs is a certified cryptography provider – no unauthorised access to confidential files
- Comprehensive reporting provides easy monitoring of your Data Protection Rating
- Fast & secure data recovery
- Ability to track data changes
- All business data is protected as defined in your backup policy – and is completely secure
Download our 30 Day Free Trial
Requirements in order to ensure effective data protection & compliance:
Further selected resources on Corporate Governance Compliance through effective business data protection.
Corporate Governance Compliance & Business Data Protection
Like all health care institutions the Perinatal HIV Research Unit have the need & requirement for effective data backup and management. “Just think about the kind of information that is in our care, both from a patient and research perspective, and you immediately appreciate just how important it is that we have an effective data backup and recovery solution in place.”
What role should IT play in corporate governance compliance?
To a large extent the trustworthiness of any company depends on the accuracy of the information it creates, collects and stores in its day-to-day activities.Most countries have legal and corporate governance legislation (and guidelines) that require companies, and their executives, to protect this information.
The United States, for example, has the Sarbanes Oxley Act, while South Africa’s King III Report recognizes the vital role IT plays in the continuity of a company by dedicating focused attention on the governance of IT systems.
The purpose of legislation and guidelines like these is not to turn the members of a company’s board into IT boffins, and it doesn’t seek to lay down any overriding IT management practices. The end goal here is to make sure a company’s board is entirely accountable for the reliability of IT.
In order to prevent unauthorised access to private information, Health Care institutions need a reliable endpoint data backup software security solution. Data that isn’t effectively protected is left vulnerable to data breaches and data loss- negating any attempts at data privacy. Loss of user data is a pervasive security problem among global companies, according to a survey released by Ponemon Institute and Vontu, a San Francisco-based provider of data loss prevention products
A complete guide to HIPAA, the requirements and how to comply.
Compared to the 800 pound, legal gorilla called the Sarbanes-Oxley Act, King III comes across as something of a softie in the world of corporate governance. It’s not legislated and therefore not enforceable. Moreover, it takes the mild stance of “apply or explain” over “do or else”. However, a deeper inspection reveals a subtle and intelligent approach to ensuring its adoption.
As technology becomes more pervasive and critical to business success, the hairy creature that is GRC also gains in its complexity. Legislation surrounding various aspects of corporate governance, especially the management of business critical and personal data, further adds to the risk mix that companies are exposed to.