In the Digital Era, compliance to ever-tightening regulations around the protection of business and customer data is viewed by many organisations as an added expense, or a waste of time and resources. Until, that is, they fall victim to a data breach or loss through any number of actions.
As cybercrime escalates, compliance with regulations like Europe’s GDPR (General Data Protection Regulation) and South Africa’s own PoPI (Protection of Personal Information Act) are legal requirements, and strategies for success and resilience in a risky digital landscape.
Here’s why. Admittedly, the requirements of compliance – which starts with an internal audit of what customer information you do or don’t have stored – may feel frustrating; a time and resource sink. This is especially true for SMEs, who may not have the manpower or infrastructure to effectively tackle the mandated task.
Despite years of discussion, PoPI has yet to come into effect, meaning it’s probably slipped onto the priority back-burner for many South African organisations. It pays to be prepared now, if your company isn’t already aligned with GDPR requirements, which extend beyond the European Union.
Safeguarding yourself against potential business-crippling fines (of €20-million or 4% of annual global turnover) shouldn’t be your primary motivation. Today’s consumers increasingly prioritise protection of their data and privacy. Data breaches, like those experienced recently by Facebook and Liberty, have caused serious reputational damage. Compliance should never be approached from the angle of imposed regulations; it’s best considered as reinforcing a trusted relationship with customers.
Compliance is also an excellent guideline as to how you should be managing information at your organisation – to protect against costly downtime. Forget fines. The expense associated with data loss or compromised systems could alone destroy a business. In the online shopping sector, for example, site downtime and payment errors quickly drive frustrated customers to the competition.
What can companies do in their simultaneous drive to ensure compliance and business continuity? Your strategy should centre on the following.
Cybercrime tactics are continually evolving, and usually target SMEs and corporates indiscriminately
It’s impossible to be a specialist in everything, but be sure to stay up-to-date with your business’s compliance status and the latest security threats. Not only is there GDPR and PoPI to consider, but also the already-existing regulations laid out by the bodies overseeing your industry.
At the same time, cybercrime tactics are continually evolving, and usually target SMEs and corporates indiscriminately. Employees should be educated about best cybersecurity practices – like carefully checking email addresses of senders. This knowledge must be regularly refreshed to counter newer threats.
Businesses, SMEs especially, outsource regularly to fill gaps in their knowledge and resources. It should be no different when it comes to compliance and continuity – enter a retainer relationship with a specialist attorney or advisor in your industry to ensure you tick all legal boxes.
Today’s cloud service providers offer multiple data protection tools even if their core business is not security. Before, companies had to implement security measures for their own on-premise private network, but the shift of software to the cloud means that cloud service providers now offer security tools and tips. Businesses are largely freed from managing this complex task to focus on their daily operations.
Companies should consider compliance a necessary enabler to doing good business in a risky digital landscape
Cloud technology is extremely beneficial in ensuring businesses protect their data, therefore remaining compliant. These same solutions can also bring a business swiftly back online should the worst happen.
There isn’t a cloud service that doesn’t offer some sort of back-up or archiving solution – if on-site data is compromised, the back-up can be easily accessed. Online storage solutions also save a company from exposing its data to third parties, like hard drive recovery companies. There are even further advanced options to remotely wipe devices of information in the case of theft. And, with a focus on storage, cloud service providers are typically fully up-to-date and compliant with data handling rules themselves – capable of providing audit trails, and scrubbing data once its mandated storage period is over.
As for minimising downtime, major cloud players like Google, Microsoft and Amazon Web Services are known for their reliability, and extremely high availability of services. Cloud providers may even take on the monitoring of your business’s systems, alerting you of connectivity issues to their side.
Rather than viewing compliance-centred activities as a grudge investment, companies should consider compliance a necessary enabler to doing good business in a risky digital landscape. Compliance requirements are not there to slow a business down. In the long run, they serve an essential safeguarding function for everyone.