Small business data protection: low hanging fruit

The 12-month grace period for South African businesses to comply with the Protection of Personal Information Act (POPIA) ends on 30 June 2021.

Whether your business is listed as a corporate or sole proprietor, the legislation is binding, with non-compliance penalties of up to R10 million or 10 years in jail. That’s motivation enough to get your personal information records in order.

As a small business, a personal data breach, the primary blunder that POPIA seeks to mitigate against, can negatively impact your brand, resulting in a loss of trust and sales. Protecting the personal data that you process is no longer an option – it’s business-critical.

The good news is that there are a few steps you can take as a small business owner that’ll move you closer to POPIA compliance and significantly reduce the chances that you suffer a personal data breach.

In understanding what follows, keep in mind that ‘personal data’ relates to the processing (generally collection, sharing, or storage) of information for both natural and juristic persons. In other words, you need to protect the data of your employees and customers, as well as your suppliers and business partners.

Collect quality data

POPIA has eight conditions that need to be met when processing personal data. There’s a fair amount of legalese and overlap in these conditions, but the consistent message is to be purposeful about how you process personal data and transparent about your motives for doing so.

Accuracy in data collection and processing is paramount because, under POPIA, the person whose information you hold has the right to request their ‘file’ at any time. If their record is inaccurate, outdated, or incomplete, it could invite investigation into your POPIA compliance, which could impact your reputation.

For the sake of compliance and perception, then, a simple but systematic records management plan should be put in place, detailing how you’ll go about collecting information, how it’ll be processed, which details are required (age, gender, race, address, etc.), how long records will be kept, how you’ll dispose of redundant data, and who will champion the implementation of the plan (POPIA requires you to appoint an information officer). There are also numerous record management software solutions that you could consider.

Why would you make the effort to capture and process personal data in the first place?

One of the main attractions is being able to communicate with your target market effectively to drive sales; email marketing remains one of the most powerful tools for small business growth. In order to contact customers through such channels, you’ll need to have a record of where their personal data was collected from (website, competition, or tradeshow) to show that the target gave you permission to contact them. Without that paper trail, you’ll be non-compliant and vulnerable to penalties.

Sidebar: As a result of POPIA, we should all be receiving fewer cold calls once the grace period comes to an end. Thank goodness for that.

Store in the cloud

The safety of the personal data you process is largely dependent on where it’s stored.

Using a decentralised system – where data is spread out over numerous hard drives, or in physical draws and folders – is inefficient and dangerous because it makes it easier for you to lose that information, and easier for others to access it.

Choosing instead to store all personal data you collect and process in the cloud comes with the following advantages:

• Cloud service providers are increasingly using AI to conduct ongoing security analysis
• Built-in firewalls improve network security
• Data is backed up at multiple locations in case of disaster
• Access to data in the cloud can be restricted to only the employees who need it

Because you’ll now be required to divulge personal information upon request from the subject, having all their data in one place, organised in an orderly fashion, will also reduce the amount of time you spend dealing with such requests.

Let the upgrade run

You may think that small businesses like yours won’t attract the attention of hackers. You’d be wrong. They know that bigger businesses have the resources to protect their data; small businesses are an easier target because data security and protection often play second fiddle to the more pressing issues small business owners must conquer on a daily basis.

The nefarious ingenuity of those trying to commandeer your personal information means that your software providers constantly refresh their embedded security measures to keep your data safe. But if you don’t run your software updates when they’re released, your systems become temporarily vulnerable to attack.

Keep in mind that the cybersecurity resilience of your business is only as strong as the weakest link; if a hacker gains access through a poorly protected device, they can move through your network quickly. That means you need to have up-to-date software across all the devices used to keep your business running, including laptops, mobiles and tablets.

 Educate your employees

Human error is one of the biggest risks when it comes to protecting your business against a personal data breach. In the course of business, employees will have access to all kinds of sensitive information that, with or without them being complicit, could end up in the wrong hands.

It follows that your employees must be made aware of their obligations under POPIA, and what threats they are likely to face from the hacking underworld. This can be done via e-learning courses that are affordable and time conscious. But if you simply make data protection an item on your weekly or monthly agenda, so that it remains front-of-mind, your employees will be better able to spot the majority of circulating scams.

Making your business POPIA-compliant will take some work. But with a little perseverance in inputting the above measures into place, data protection will become second nature within your organisation.

Sage POPIA legal disclaimer

• The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
• We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own professional advice if they are unsure about the implications of the POPIA on their businesses.
• Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise, from the use of or reliance on this information or from any action or decisions taken as a result of using this information.