South African companies that are taking a compliance-based, check box approach to information security and the protection of personal information are not only doing it wrong, but are missing out on a golden business opportunity. This is according to information attorney and information security consultant, Mark Heyink.
Heyink argues that organisations of all sizes should pay careful attention to the competitive advantage that lies in baking the protection of personal information and other critical data into the core of how their business operates. Further, the best way to do this is to take a business-led, multi-disciplinary, approach. Leaving it up to the lawyers leads to sound policies and procedures, but little technical insight. And leaving data protection up to the IT team alone leads to a solid technology approach, but little attention paid to policies, procedures and communication.
Ironically, it is Facebook itself, notorious for manipulating our information and manipulating us, is an example of the importance of data protection. In the wake of the Cambridge Analytica scandal, Facebook not only lost billions of dollars off its market capitalisation, but it also lost the trust of subscribers who defected to more secure, private encrypted platforms. To be sure, any company, even the good guys, can experience a data breach. But companies can mitigate the reputational damage by demonstrating that they have established and maintained appropriate safeguards to protect personal information from compromise.. It is also important that they react quickly and do everything in their control to contain the damage if there is a breach .
Heyink suggests companies should reframe data protection as a question of economics rather than one of law, and consider it a good business investment that will ensure they stay in business. “Protecting personal information is already an important facet of business and it will become increasingly important as we progress through the 4th Industrial revolution,” he says. “Companies should embrace this and not see the risk as potential penalties. They should invest the time and moneyin doing the right things today, or risk being companies that go out of business in future.”
With the Protection of Personal Information Act (POPIA) becoming enforceable from 1 July 2021, we are well on our way to developing a more mature and responsible relationship towards data protection in South Africa. Heyink feels that too many companies see the emerging law and practice in data protection as a compliance burden when they would profit from recognising the opportunity to rethink how they process information, a critical advantage in modern business.
But also, collectively we need a shift in the way we think about our personal data, its value, and the very real harm that can be caused when it is abused. We should never lose sight of the fact that we are all data subjects and privacy is a fundamental right protected by out Constitution. When considering the personal identification information that passes over our desks in the workplace, we should ask ourselves whether we would be happy with our data, or the data of friends and family, being treated in that way. And when our personal details are clearly misused, we should be outraged, and, from 1 July 2021, report the misuse to the Information Regulator. As individuals we will have the power to force companies to respect a data subjects rights. Businesses are likely to be handsomely rewarded if they are ahead of their customers when it comes to data protection
Mark Heyink will address why data protection is a good investment at Cyber in the City. You’ll also have the chance to ask Mark questions about how to motivate for this approach in your organisation. Cyber in the City is on 19 November 2020 from 9 am to 1 pm. Visit cyberinthecity.co.za to register.