Now is the time for companies to ensure their data is compliant with the Protection of Personal Information (PoPI) Act. Although, South African businesses have been slow on the uptake when preparing for PoPI, intelligent data management can greatly simplify this mammoth task. Wavering is no longer an option and despite the lengthy process to publish the final regulations, the next step is to establish a deadline. Thereafter, organisations will have a grace period of only one year to comply and avoid heavy fines of up to 10 million rand and other dire consequences such as imprisonment.
The first step – data encryption
When it comes to protecting any information, the way data is secured across the value chain needs to be addressed first and foremost. Encryption is the gold standard for ensuring adequate protection, and while many businesses currently encrypt their data at the storage layer, this is simply no longer enough. A data breach may occur at any point, including internally and while data is in transit. Organisations will be in breach of PoPI if they cannot prove this data is protected.
The General Data Protection Regulation (GDPR) is the European equivalent of PoPI and must be adhered to by all South African companies who do business with companies based in the European Union (EU). However, GDPR enforces similar, if not stricter, standards to PoPI. For example, GDPR states that if data is encrypted, in the event of a breach and data theft, compliance is still maintained, and this is not necessarily mentioned in the PoPI Act. Moreover, data must also be encrypted at rest and in transit. As a result, data needs to be encrypted end-to-end, from the storage layer right through the database to the application layer, to ensure GDPR compliance and this will in turn, guarantee PoPI compliance.
The implications of encryption on storage costs
The challenge of end-to-end encryption with data residing on certain storage media is that it can result in storage costs spiralling out of control. This is due to the fact that many of these solutions rely on data reduction such as deduplication and compression to keep storage costs down. However, these techniques cannot be used on encrypted data.
Encrypted data can result in data storage becoming between three and five times more expensive, which can have a significant impact on any businesses Total Cost of Ownership (TCO). In addition, it can negatively affect storage performance, with a knock-on effect to the performance of the business as a whole. It is essential to implement an intelligent storage solution that will prevent this increase in cost and decrease in performance as the amount of encrypted data grows.
An intelligent solution, an intelligent choice
Storage must address three key areas, namely capacity, cost and performance. The typical way of addressing performance challenges is to utilise All-Flash Arrays (AFAs). However, this is very expensive and therefore achieving high capacity is costly, especially when end to end encryption is required since data reduction does not work with here. Conversely, intelligent software-based solutions can address all three of these areas, using commodity hardware to control cost and increase capacity while delivering high performance. This enables end-to-end encryption to be cost effectively implemented for optimum data protection and compliance. So, is an intelligent software storage solution the answer to PoPI compliance?
The long and short of it
If data is encrypted end-to-end, PoPI (and the GDPR) compliance is maintained, even in the event of a data breach. This means you will not be fined, your reputation will remain intact, and any negative impact resulting from a breach can be mitigated and contained. A proper encryption strategy and intelligent software-based solution eliminates the risk of sensitive data being compromised as well as the risk of a PoPI-related penalty. If you are not prepared for PoPI, the time to start is now, or face the repercussions of non-compliance that could cripple your business.