POPI technology pack underpins POPI initiatives

Data inventory is the first step and it’s easier than you think – if you can automate the process, says Murray Benadie, MD, Zenith Systems.

POPI is now a reality for all South African organisations.

Some of the obligations under POPI are to:

  • Only collect information that you need for a specific purpose;
  • Apply reasonable security measures to protect it;
  • Ensure it is relevant and up to date;
  • Only hold as much as you need, and only for as long as you need it; and
  • Allow the subject of the information to see it on request.

“Given the above, the first step for our customers must be to create an inventory of all sensitive data that is collected, stored or processed that contains personal information as defined by the Act, wherever it may reside across their network,” says Murray Benadie, MD of Zenith Systems, a leading South African cyber company.

Murray Benadie, MD, Zenith Systems
Murray Benadie, MD, Zenith Systems

This will help customers to understand what data is in-scope data and to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained. Then, companies must ensure that adequate means of protecting that data have been implemented, all data types are classified, access is restricted to authorised personnel, and data is remediated when it is no longer needed or requested by customers. In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.

“Without this comprehensive data inventory, even basic obligations such as data subject participation in the process is impossible. How do you know where all the information pertaining to a data subject is, be they a customer, employee, job applicant or historical customer?” asks Benadie. Furthermore, a data subject also has the right to request corrections to their record when the data is out of date, incomplete, inaccurate, excessive, or obtained unlawfully. On receiving the request, the responsible party must complete the request within a reasonable timeframe. “This is not possible with a manual system as data is duplicated across organisations, including in databases, spreadsheets, CRMs, e-mails, pdfs, etc.”

The challenge in creating a data inventory and data map is that traditionally it relies exclusively on interviews with the application or process owner, and often (1) that person is new to the position and doesn’t have accurate information; (2) the previous owner did not document the personal data implicated; or (3) there simply is no owner.

Complicating this is the fact that applications are often fed by other applications and feed into others, with HR systems being the prime example.

The resolution for this is data discovery and classification, software that searches an organisation’s information ecosystem with methods specifically designed to locate POPI personal data, personally identifiable information (PII), and other controlled information. Your information officer will require an advanced, easy-to-use data discovery tool with the highest degree of accuracy and least amount of false positives to assess the state of the data and implement automation for classification, control and protection. Without the highest accuracy, results are unreliable and will lead to bad business decisions.

“This is where our Spirion solution provides an elegant, cost-effective and streamlined solution to our customers' POPI data management needs,” says Benadie. Spirion delivers unparalleled accuracy in locating any data type in places where privacy managers would not know to look. The results of such a search are often surprising, given how few organisations purge unnecessary information. Once located, controlled information can be classified according to the organisation’s classification policy and markings embedded into the document or file so that information rights management (IRM), endpoint security, data loss prevention (DLP) and/or related systems can enforce that policy.

Identify existing and potential data risk with Spirion

Knowing where personal data is stored on your network and cloud providers, especially in both structured and unstructured formats, is critical for both protecting the data and also following through on requests to correct and erase personal data through POPI requirements, such as a data subject's right to have their data deleted from a company's records.

With Spirion’s sensitive data management platform, organisations can:

  • Accurately inventory and map all your relevant POPI data;
  • Identify and prioritise gaps in POPI compliance;
  • Minimise how much private data you are storing and remove duplicate information;
  • Protect each file according to its specific classification;
  • Monitor and audit user activity and detect and manage risky behaviour; and
  • Know your maximum exposure versus what's protected at any time – on-premises and with third-party processors.

Data discovery

Spirion AnyFind proprietary algorithms provide the highest level of accuracy with lowest false positives. Accurately locate all your sensitive data on your network, cloud or device, or your partners’ networks. Generate a structured and unstructured data inventory and know exactly where your company’s personal data is stored.

ITWeb Security Summit 2020

Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on-demand online. To register, and for more information, please click here.

Spirion can identify any format (eg, documents, presentations, e-mails, images, etc) in any location (Windows, Mac, Linux, file servers, desktops, databases, Web sites, SharePoint, e-mail, cloud repositories, etc). Identify the data and address requests to correct and erase personal data.

Benadie continues: “To complement that vast array of existing searches, Zenith Systems has also developed South African specific regexes that discover and manage South Africa specific POPI data such as SA ID, passport, cell numbers, addresses and even customer specific data such as loyalty programmes.”

Data classification

Spirion helps you understand your data – including what type of sensitive data is out there, who is accessing it, how is it being used, where it has been and when it’s used. Persistently classify your assets, as defined by your organisation, for each file and then automate remediation and access controls when an end-user accesses classified content.

Personal data management and protection

Under the POPI requirements, information officers must now constantly monitor sensitive data for who did what, when, and where. Spirion provides extensive monitoring and tracking for full traceability. The Spyglass dashboard and customised reporting makes all activities taking place in each file and its contents visible in real-time.

Monitor and report

Sensitive Data Watcher technology monitors the file system and automatically detects, classifies and reports on confidential data in real-time as files are created, modified or moved. Alerting, assignment and remediation are performed according to customised workflow processes. Spirion helps organisations demonstrate accountability across all data protection activities. Spirion Spyglass delivers enterprise-wide visualisation of an organisation’s sensitive data risk exposure with the ability to drill down into specific areas of interest all from a single screen. Security teams and executives get instant real-time and historical trends on existing data, newly created data, and protected sensitive data – whether on-premises or in the cloud.

Easy integration with existing infrastructure

Spirion data is accessible via Web APIs to communicate with third-party applications. Extend Spirion’s rich data to enterprise information security systems, including: security information and event management (SIEM) systems, governance, risk and compliance (GRC) platforms, cloud access security brokers (CASBs), user behaviour analytics (UBA) platforms and data loss prevention (DLP) platforms, as well as any other IT and security investment, thereby increasing visibility and accessibility.

ITWeb Security Summit 2020

In an increasingly connected, digital world, cyber security threats are constantly evolving and increasing in number and sophistication. Security professionals need to be up to speed with the latest technologies, techniques and skills for predicting and mitigating potentially crippling cyber attacks, the methods and tools in use by today's threat actors, and the latest legal and compliance demands. ITWeb Security Summit 2020, now in its 15th year, will again bring together leading international and local industry experts, analysts and end-users to unpack the latest threats facing African CISOs, CIOs, security specialists and risk officers, demystify emerging cyber security strategies in AI, blockchain, IOT, DevSecOps and more, and explain how to increase an organisation's cyber resiliency.  

Share

Zenith Systems

Zenith Systems is a Cyber Security industry veteran and has deployed cyber security solutions in high profile organisations throughout Africa.

Zenith Systems specialises in Spirion Sensitive Data Solutions, Acalvio NextGen Cyber Deception, LogPoint NextGen SIEM ,Snare Logging Solutions and MassComz Multichannel Critical Event alerting system.

www.zenithsystems.co.za

Spirion

Based in St. Petersburg, Florida, Spirion's, PASSION is to protect what matters most – the personal data privacy and data security of our colleagues, our customers, and our community. We build and deliver the most accurate data discovery and classification solutions on the planet so that we can ultimately protect humanity (yes, humanity) by eliminating data privacy breaches. Period.

Our customers don’t want fast and easy – they want accurate and persistent – and that is what we will always focus on – because you cannot protect what you cannot find and “good enough” when it comes to data privacy… just isn’t.

Editorial contacts