Data protection legislation to impact on non-compliant SA businesses

The forthcoming promulgation of data protection legislation in SA is expected to have a significant impact on local businesses in 2013.

March 28, 2013

The forthcoming promulgation of data protection legislation in South Africa is expected to have a significant impact on local businesses in 2013, as compliance is set to become a legal necessity for businesses.

This is according to Guy Kimble, Managing Director of Metrofile Records Management – a group company of JSE-listed Metrofile Holdings Limited – who says that with a legal framework in place now governing data information, it is now critical for companies to review their current systems and to ensure they implement a secure data protection solution.

“Enterprise data is one of the most valuable assets in any company and should be treated accordingly. If critical business data is not properly identified and protected it can prove catastrophic to a company, its shareholders and its customers.”

There is often a misperception among companies that they can easily replace valuable data should a disaster such as fire, public unrest, power failure, hardware failure or data corruption occur, says Kimble. “However, statistics have shown that failing to adequately prepare for such a scenario can have major repercussions, including forcing the business to close.”

Data collated by the U.S. Department of Homeland security suggests that 93% of companies that experience a significant data loss are out of business within five years. While there are no local statistics, this alarming statistic highlights the repercussions that South African businesses could face if they fail to act to protect their own data.

“It is simply good business practise to have a robust data protection plan in place to protect this asset, as well as to ensure compliance with future legislative requirements, such as the Protection of Personal Information Bill (POPI).”

He says that companies often become overwhelmed in the search for a reliable data protection provider due to the many options out there. “However, not every data protection provider is legitimate and by selecting a disreputable provider the company is placed at risk of severe legal, financial and reputation consequences.”

Thorough Internet research, reading trade publications or trusted referrals are typically the best ways to source a data protection provider, says Kimble.

“However, there are some critical questions the company must ask the provider before initiating any business agreements, such as: how does the provider ensure the security of the data (through encryption, firewalls, passwords, physical security etc.); does the data protection provider ensure total compliance with local laws and governance; will the solution increase efficiency; can the backups be tested; are there appropriate systems in place to locate the company’s data when required; and does the provider have legitimate customers /references?”

He says typical warning signs that may indicate a data protection provider is not reliable include, among others: lack of adequate premises or a data centre; no climate control in the data/tape storage areas; a short duration of the business; no local support engineers; poor staff qualifications; restricted access to facility (what are they hiding?); no proof of Disaster Recovery plans; bad reviews on media or Internet (blogs); single entry point of contact; no customers or lack of track record; no website; and no membership to a recognised industry bodies (e.g. Professional Records and Information Services Management).

“Before signing anything, it is best to try the provider out by asking for a demo or a trial run and seeing whether there are qualified people to assist or if the contacts are only sales people. It is also a good idea to conduct some research around international trends which will also help to ascertain whether the provider is using current technologies or merely providing outdated services.”

He says it is also important to consider whether the provider has adequate scalability should the company’s requirements grow and to question whether the solution will ultimately lower the total cost of ownership and provide a good return on investment in the long run.

“While the task of finding a reputable and reliable data protection provider may seem daunting, it is an absolute reality that local businesses must begin to take seriously before they place their company and its customers under legal, financial and reputational risk,” concludes Kimble.