New laws in SA will compel companies to manage their data properly. But there's almost no guidance on how to proceed.
Sooner or later, someone in your organisation is going to say: "We need to be compliant." The first question to ask is: "Compliant with what?" The ECT Act is a typical answer, but the Protection of Personal Information (PPI) Bill will soon be another good one.
PPI's goal is "to promote the protection of personal information processed by public and private bodies, and to introduce information protection principles so as to establish minimum requirements for the processing of personal information", according to the preamble.
Some of its sections have significant implications for companies that keep any form of information about their customers that could be construed as personal. But where is that information stored now? How is it organised? Is it even classified properly? The CIO who needs to answer these questions could be forgiven for being overwhelmed, even if he already has an information life cycle management strategy.
"I've read through it because I have to understand it on behalf of my clients," he says. "My first response to them is you need to understand your own business first. Businesses need to understand what information they have. Once they know that, only then can they understand what legislation is relevant and how it will affect them."
Bryan Balfe, business development director at CommVault, says there are two wrong approaches to the legislation.
“We're seeing a lot of people doing one of two things," he says. "One is ignoring the issue until hopefully someone else goes to jail. The other is deciding King III is something they do professionally and forgetting what business their own company is in. They then start on a project to 'Kingify' their entire business. I couldn't agree more about understanding which parts are relevant. You can find people incurring massive cost deploying complicated technology and still looking like twits because they haven't deployed what they should have."
Kendall Watt, presales engineer at Mimecast, says this is because of a lack of guidance.
"A number of our customers are frustrated by the fact that there are no clear guidelines about what they need to follow," he says. "The ECT Act doesn't actually speak directly about records retention periods, for example, and customers don't know where to turn. There are a number of ICT lawyers out there, but the customers don't know about them so they're asking their vendors and partners about how long they should be storing information."
There are no clear guidelines.
Half the trouble is that this isn't a technology problem.
"There is a lot of technology out there and a lot of people think that if they install a certain piece of technology, they will be 100% compliant," notes Charles de Jager, solutions specialist at SAP. "But there isn't a magic button. There isn't something to buy off the shelf to do that. Gartner has said manage information and not technology. We spend too much time worrying about hardware and software and we haven't concentrated enough on what our information really is and how it should be classified. It's not about data warehousing or BI, but rather 'what is information management?"
The reason is historical, says Paul Walker, product specialist at Informatica. "As we saw the introduction of CRM, ERP and the digitising of business processes, businesses thought they could suddenly wash their hands of the problem," he says. "It's an IT problem! IT has to maintain it, report on it, back it up and so on. They thought that was the end of it. Now we've gone back and told them that they need to care about all of this."