The biggest challenge around POPI for the SME is a lack of understanding around the difficulties associated with becoming POPI compliant, says John Mc Loughlin, MD of J2 Software. For SMEs, as with so many things in business, keeping things simple is critical.
"Becoming POPI compliant does not need to be a long and costly exercise. There are cost-effective solutions available to the SME, which will allow them to demonstrate their compliance to POPI and other general ICT compliance clauses almost immediately."
Mc Loughlin believes SMEs should start with a policy that controls where and how sensitive information is stored and processed within the business, and then enforce and report on compliance to these policies. "The key is to have visibility – do you know what has changed? Who moved the data and where it was moved to?"
For example, he says, if none of your employees need to work on sensitive data outside of the office, ensure that this data never leaves your servers, regardless of whether they are in-house or hosted. On the flip side of the coin, if your employees do need to work with sensitive data away from the office, make sure you know exactly what data is being used, when it is accessed and how it is protected. "These are simple steps to not only ensure compliance, but also give an SME business a more professional image. As with anything, it is impossible to manage something which you cannot see. Having this visibility means you will immediately know where your information is and who is accessing it. DLP and compliance need not be the bane of your existence."
Choosing a provider is the next step, Mc Loughlin says. "Look for a provider that gives you what you need, instead of technology for technology's sake. Sit down with a proven and reputable SME provider – with a deep understanding of SME businesses – to see where the gaps are and quickly and cost-effectively come up with a solution."
However, he says, technology is only one part of the equation. "Technology is essential to the management of the data, and must cover specific business and legal requirements. Any solutions the business adopts must not only improve their operations, but also ensure compliance with relevant laws and codes. It all comes back down to policy. Do you have a policy around information security and device and data usage? What is the policy? Can you show it to us (or to your staff)? And then, how do you measure compliance and enforce it? Having a great laminated and beautiful policy is worthless if it is not enforced and measured."
At the end of the day, Mc Loughlin believes many SMEs are aware of the possible repercussions of not being POPI compliant, but are currently ignoring it and only acknowledging this in private and when it keeps them awake at night. "Nobody wants to be the first test case and pay the first fine – so if presented with the right solution at a reasonable price, the uptake should jump rapidly."
He says many forward-thinking SME business owners will take the steps required to be compliant, and others will only consider it in more detail when they are sitting in front of the regulator while they are pondering their fine, watching their business fall apart in front of them. "J2 has both the solutions and the expertise necessary to guide SMEs towards POPI compliance. I hope that we continue to provide SME businesses with the right tools to ensure that it is not them sitting on the wrong side of the regulator."