By Kathy Gibson – In the digital world, data has been described as the new oil, and companies are constantly seeking ways to use their data to improve customer experience, to develop new products, or to improve profitability.

But laws – like the GDPR in Europe and South Africa’s own Protection of Personal Information Act (PoPIA) – are designed to protect your data and ensure that companies can’t just use it in any way they choose.

This can seem like a stumbling block for sales-orientate companies, but it is possible to protect customer data, retain confidentiality, and still offer a great CX.

PoPIA was promulgated in 2013, and came into force in 2020, with a 12-month grace period. This gave South African companies a lengthy period of grace to get their houses in order.

Kyle Giltrow, executive head of legal and compliance at Pinnacle ICT, explains that PoPIA affects both digital data, and how it is stored electronically; and physical documents, which must be securely stored as well.

In addressing its own compliance, Pinnacle started with putting retention policies in place.

To stick to this policy, its necessary to conduct regular clean-ups, when documents outside of the set time periods are destroyed. Pinnacle ensures that it erases the digital data that it holds, and that its physical document storage partner takes care of the hard copies in archives.

While the documents are still being stored – but not necessarily being regularly accessed – they must be secured, Giltrow explains. Those retained onsite are in secure locked rooms, with offsite documents secure by the offsite storage partner.

A number of documents have also been digitised, points out Christine Kriel, deputy information officer: PoPIA at Pinnacle. Once these are captured and saved securely, the hard copy originals also need to be destroyed.

Going forward, the distributor aims to make its record-keeping completely digital.

The transition from physical to digital is a monumental task, says Kriel, and is being undertaken over a number of stages,

“We are entering a more electronic phase now, with more documents now stored electronically than physically.”

Each year, the volume of physical documents gets less as older paper can be destroyed. Within just a couple of years, the only physical documents still in secure archives should be those relating to South African Revenue Services (SARS), Kriel adds.

Storage is just the first part of the document management story, though. Giltrow explains that access control is a big part of being PoPIA-compliant. “At Pinnacle, we’ve put systems in place to ensure that each server has different access controls for various individuals, depending on their clearance.

“At the same time, we have put in place a data mapping exercise that maps and classifies the private data for each department: what they collect, how it is stored, what the retention period is and more. This is all mapped in a spreadsheet and we ensure that once the retention period lapses, the data is destroyed.”

Artificial intelligence (AI) is the trend of the day, but Giltrow believes it is still a grey area when it comes to PoPIA compliance.

“Yes, we are looking at AI, but more from a fraud prevention point of view.

“As the technology gets more intelligent, it can start to understand the way people act and interact, so we can start picking up warning signs.”

AI is also being used by cybercriminals and there is a very real danger that bots could be used to impersonate suppliers or resellers. Giltrow says Pinnacle is putting fraud prevention measure in place that combine technology with human interventions.

“For instance we have implemented new verification processes and also insist on onsite visits with new suppliers, and physical deliveries for any new reseller’s first order. There will be more of these kinds of measures as AI becomes more sophisticated.”

One of the key concerns that PoPIA addresses is the security and privacy of personal data. Companies not only have a duty of care towards the information they are entrusted with, they also have to report any incidents.

Employees at Pinnacle receive regular training about the importance of reporting a data breach, and how this needs to be done.

“Should a breach ever occur, we have our own internal incident process where we track any potential leaks and notify the regulator,” Giltrow explains. “We then follow the correct processes: sending a mail to the impacted client; disclosing what was breached; what data has been compromised; what preventative measures we are taking; and advising on whether they should take any measures. We also determine if there is any internal actions that needs to take place.

“The fact that we follow all the right processes gives clients comfort that we are aware of the issue and are addressing it.”

As a distributor, Pinnacle deals with a huge number of reseller customers as well as vendor partners, so breaches could potentially come from anywhere in the supply chain. “This is why we do everything, from a human and electronic perspective, to ensure we have the best possible security and processes,” Giltrow says.

“And we make sure we stick to the book when it comes to the personal information that our customers entrust us with. And we do regular training with our staff to limit the possibility of leaks as a result of accidental or social engineering.”

Kriel stresses the importance of this ongoing awareness training. “It makes sure that people think about requests, or the actions they perform. And they need to feel confident about coming forward if there is an issue, so we show them the severity of what can happen if there is a breach that we don’t report.”