Keep your email and file databases POPI compliant

Posted on November 22, 2019

South Africa’s Protection of Personal Information Act (POPIA)

Keep your email and file database POPI compliant — South Africa’s POPI Act

Data privacy is a worldwide concern for many businesses – especially as regulations such as GDPR, CCPA, and POPIA (the Protection of Personal Information Act) have come or are coming into effect. Want to keep your email and file databases POPI compliant? Read on…

So What is POPI Act or POPIA?

POPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information. It is South Africa’s equivalent to the EU’s GDPR. The POPI Act is well on its way to being implemented in South Africa. In order to ensure your data practices don’t contradict the act you need to be prepared, once implemented companies will have only 12 months to comply.

Who does POPIA affect?

POPIA affects all organisations that store, collect or process personal information are required to comply.

Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, credit cards, etc.) and includes, but is not limited to:

contact details: email, telephone, address, etc.
name of the person if it appears with other information relating to the person,
demographic information: age, sex, race, birth date, pregnancy, marital status, ethnicity, disability, religion, sexual orientation, language, etc.
history: employment, financial, educational, criminal, medical history
biometric information: blood type etc.
the views or opinions of another individual about the person.
correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

“The POPI Act will affect almost all businesses in South Africa”

Does POPI really apply to our company?

Accountability for personal data is the responsibility of each public or private body. Generally, the Responsible party must be a resident in South Africa or the processing should occur within South Africa (certain exclusions apply).

The risk includes reputational harm, fines and imprisonment, and paying out damages claims to data subjects. The greatest risk, after reputational harm, is a fine for neglecting to secure record details.

There are also some benefits associated with complying with the POPI act, it is safe to say that consumers will feel more confident doing business with companies that are transparent and showing compliance with the POPI legislation.

Where POPI does not apply. Exclusions include:

purely household or personal activity.
some state functions including criminal prosecutions, national security, etc.
journalism under a code of ethics.
judiciary functions.

Why should I comply with POPI?

POPI endorses transparency about what personal information is collected and how it is to be processed. This honesty is likely to increase customer confidence in an organisation, public or private.

POPI compliance includes capturing and retaining the minimum required personal data, ensuring the accuracy of that data, and removing the data that is no longer required (Similar to GDPR). These actions will help improve the overall reliability of the databases companies hold.

POPI compliance also requires that the organisation can identify personal information and can take reasonable measures to protect the same data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation.

Non-compliance with the Act could expose the Responsible party to a penalty of a fine and/or imprisonment of up to 12 months. In certain cases, for more serious offences, the penalty for non-compliance could be a fine and/or imprisonment of up 10 years. It is vital that organisations keep their email and file databases POPI compliant.

How can Waterford Technologies help?

Data compliance starts with visibility – Waterford Technologies gives clients, the visibility they need for effective monitoring, eDiscovery, auditing and reporting across a variety of data regulation standards. Our ComplyKEY suite empowers you to easily reduce email and file risk, detect and respond in real-time to threats and prove regulatory compliance with acts such as POPI, ensuring that you keep your email and file database POPI compliant.

ComplyKEY is a compliance and data management platform where you can find every single email and file in your organisation, conduct e-discovery, freedom of information and subject access requests directly from your desktop anywhere.

Key Benefits

Governance- Proactive approach to data transparency by classifying before archiving is a key requirement of POPI.

Compliance – Preventative monitoring of email internally & externally to identify & remediate risk.

Data Retention Management and Erasure- Increases efficiency, retention can be controlled by time and/or by person groups. As mentioned above POPI compliance includes capturing and retaining the minimum required personal data, ensuring the accuracy of that data by removing the data that is no longer required.

Investigate & Message Filtering– Advanced e-Discovery with keyword search, word lists, & regular expressions (REGEX) capabilities.

Be POPI compliant

Although you have a one-year grace period to update your systems, the time to prepare for POPI is now. Get in touch with Waterford Technologies to discuss how we can help your email and file database POPI compliant.

Laura Stotesbury

Head of Marketing

Waterford Technologies

First Multi-Million GDPR Fine in Germany

Posted on November 14, 2019November 14, 2019

€14.5 million fine for not having a proper data retention management policy in place

On October 30^th, 2019, the Berlin Commissioner for Data Protection and Freedom of Information made history by delivering her first multi-million GDPR fine to the German real estate company, die Deutsche Wohnen SE for not having a proper data retention management in place, direct infringement of the General Data Protection Regulation (GDPR)

This is the highest GDPR fine to be issued in Germany to date.

Why the infringement?

Deutsche Wohnen SE has been accused of utilising an archiving system for the storage of personal data pertaining to their tenants which does not facilitate the erasure of data that is no longer necessary or required. This data was of a personal nature i.e. it included personally identifiable information (PII), such as tax data, social security, and health insurance data, bank statements, employment contracts payslips, etc.

Deutsche Wohnen SE was audited in June 2017 and was made aware that they were in breach of data protection regulations at the time. Following another audit in March 2019, Deutsche Wohnen SE was again unable to prove a legal ground for the continued retention of the same PII data or demonstrate the ability to clean up their databases by deletion of no longer required data.

Deutsche Wohnen SE did, however, try to start a project to clean up the data however, the Berlin DPA found that these measures were not adequate.

“Deutsche Wohnen could have readily complied by implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.” Maja Smoltczyk, Berlin Commissioner for Data Protection and Freedom of Information (Berlin DPA)

GDPR articles enforced

Article 25 (1) and Article 5 of GDPR were actioned against Deutsche Wohnen SE. Article 25 (1) GDPR requires data controllers – subject to additional preconditions – to provide for appropriate technical and organisational measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR and protect the rights of data subjects. Article 5 in brief states that that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) and kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).

Calculating the €14.5 million fine

It seems that the Berlin DPA applied the recently published fining guide of the German supervisory authorities. Looking at the calculations it is apparent that 2% of annual revenues were enforced instead of the 4% of annual revenue that is laid down by GDPR as a maximum infringement of Article 5. In order to reduce the fine that Berlin DPA has taken into consideration that the company had taken some measures to try to remedy the infringement as notified back in June 2017.

“I recommend all organizations processing personal data to review their data archiving for compliance with the GDPR.” Maja Smoltczyk, The Head of the Berlin DPA

Data commissioners in Europe are really starting to up their game when it comes to issuing GDPR fines. Controllers and processors of data must now take urgent action to review their processes and examine their handling of personal data, regardless of where they are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

ComplyKey offers more granular control of your email and file data for retention and destruction management

Waterford Technologies offers a retention management solution for GDPR and other data protection regulations, that is comprehensive, easy to use and powerful at protecting and enforcing your company’s retention policies.

The ability to create multiple retention categories and tags and assign different periods to specific users and departments gives you total control over email and file retention and destruction.

Enforce Retention Policies

One of the greatest assets of an email and file archive is control over the retention of messages in the archive. With the Waterford Technologies retention feature, you can ensure that your retention policy is adhered to by creating retention categories and tags or setting custom retention periods for individual users or emails.

Retention can be controlled by time and /or by person groups. Person groups can be created that contain current and former users and then retention categories can be applied to those groups. For example, your organization wants to set a retention policy of 5 years for all message but users in the Executive or Financial organisations need to be kept for 7 years. MailMeter set it and forget it Retention Policies make sure that messages are kept according to your record retention policies.

Intelligent Destruction

ComplyKey’s retention feature automatically evaluates your retention policy on every scheduled run. If the policy has been changed at any time, the module will automatically enforce the new policy and purge emails tagged for deletion on its next run. This allows you to intelligently control not only retention but also the destruction of email.

Avoid Accidental Deletion

The ability to retain specific emails or messages from specific users and apply a litigation/legal hold to relevant emails allows you to avoid accidental or wilful deletion. For example, applying a litigation hold to an email will ensure that it will be retained past its normal retention period. After the mail is no longer required, removing the litigation hold will mean the mail is automatically purged on the next scheduled run.

Meet Regulatory Requirements

Implementing an adequate retention policy is key to ensuring regulatory compliance. Your business may be subject to many regulations including Sarbanes-Oxley, FINRA, HIPAA, and GDPR. The ability to create sophisticated and granular retention policies with ComplyKey will help your business to achieve regulatory compliance.

ComplyKey Retention Benefits

Enforce email retention policies
Protect against accidental deletion
Prevent wilful destruction of email
Meet regulatory requirements

Take urgent action to review your companies processes and examine your handling of personal data, regardless of where you are situated. Waterford Technologies can readily assist you with the creation, adoption, and implementation of such data retention policies.

Contact our Sales team now or request a free demo to see how Waterford Technologies might be able to help your organisation with their data retention management for GDPR and numerous other global data protection legislation.

Laura Stotesbury

Head of Marketing

Waterford Technologies

Utility Companies – How Much Personal Data Resides On Your Servers?

Posted on October 8, 2019October 8, 2019

How to implement proactive email and file compliance in the digital era.

Data compliance and management has become a key requirement for businesses in today’s economy due to the arrival of new and updated data regulations such as GDPR, MiFID2, FOIA & CCPA. In the digital age, companies are responsible for increasing amounts of data, both of their customers as well as their own employees.

This is especially important for the Utilities Sector where large utility companies in the digital era are driven primarily by data.

Continue reading “Utility Companies – How Much Personal Data Resides On Your Servers?” →

The True Cost of Data Non-Compliance

Posted on September 13, 2019September 17, 2019

For many years now, people have talked about the importance of data. It has been argued that due to the insight and knowledge that can be taken from it, data has now become more valuable than oil.

Nowhere is this more obvious than within large organisations, who can hold TBs of unstructured data (data that does not have a pre-determined model) of their customers and employees.

Continue reading “The True Cost of Data Non-Compliance” →

Why Credit Unions need to understand their unstructured data.

Posted on August 7, 2019August 7, 2019

How to manage the unstructured data explosion and manage GDPR compliance

The financial services industry is facing a period of extensive changes in the forms of fintech disruption and challenging data regulations. In order to remain relevant in this new arena, credit unions must be able to integrate and optimise all their data.

Continue reading “Why Credit Unions need to understand their unstructured data.” →

Waterford Technologies Launches MailMeter- Version 7.1

Posted on July 30, 2019September 20, 2019

Organizations are finding today that meeting regulatory requirements and complying with new and current legislation is a challenge.  Unstructured data like email presents a whole range of hurdles when trying to prevent violations or when responding to discovery requests.

Unstructured data makes up 80% of storage on your servers.

It is generated by conducting your day to day business and consists of email and files such as documents, images, and videos.

Without the correct management tools, this particular data is difficult and time-consuming to see and uncover,- a key requirement of GDPR, FOIA, and general data regulations.

Waterford Technologies has significantly invested in the development of our product set to provide Compliance functionality for unstructured data in both email and file. We have introduced a powerful smart GDPR, FOIA, and eDiscovery solution reimagined to make it easier for you to effortlessly manage your email data- no matter the size of your company.

Available this July, Waterford Technologies are delighted to announce the launch of MailMeter 7.1, enabling organizations to meet demanding compliance requirements and address eDiscovery requests easily, quickly and effectively.

What has changed?

MailMeter 7.1 is a pro-active Microsoft Azure SAAS cloud and on premise-based compliance and data management platform where you can find every single email in your organization, conduct e-discovery, Freedom of Information and DSAR’s searches directly from your desktop. The platform gives you the ability to narrow the scope of your search across email using clearly defined criteria giving our clients the visibility they need for effective monitoring, eDiscovery, compliance, auditing & reporting across a variety of data regulations.

New Operations Portal, a completely redesigned user interface – individual search, e-Discovery search, compliance policies and message retention under a single interface
Real-time message filtering, tagging, and labeling- MailMeter cloud message filtering enables an organization to define proactive pre-archiving rules that can discard, tag or label messages based on message participants, message type or keyword content in the message to control archive content, identify compliance violations and assist message analysis.
Scoped searching- MailMeter Cloud enables authorized users to set up restricted access for eDiscovery or compliance searching. Using scoped searches, archive access can be limited to any search criteria, which specific types of tags can be used, and which type of actions can be performed.
Compliance policies- this new feature enables organizations to establish policies that automatically monitor and identify non-compliance email communication. Reviews can quickly be performed to take actions based on internal policies to reduce risk and ensure regulatory compliance.
Delegated access- The new delegated Access feature enables one user to access and search another users email stored in the archive. This feature can be used to allow a manager to access their current and former team members email. You will no longer have to retain former users mailboxes to enable other users to access that users’ messages. All activity performed by the delegated user is recorded in the audit trail.

Benefits you will love-

Legal search cost savings and speed of recovery
Respond to DSAR’s promptly
Help avoid data regulation penalties and reputation damage
Storage and back up cost savings
Direct line access to storage
Encryption of stored data
Full audit trail for email

ComplyKey

MailMeter 7.1 is a key feature in our ComplyKey Suite- ComplyKey Suite is built around two ideas, First, full visibility into your email and file volume and activity enables you to more effectively and efficiently manage your data 24/7. Second, companies need a tool that is data regulation audit-ready, flexible enough to support your GDPR, FOIA and data compliances policies and agile enough to deal with subject access requests (DSAR), freedom of information and e-discovery searches across your email and file data.

For more information on finding the right data compliance and management solution to fit your organizational needs, simply contact us for a callback.

California Consumer Privacy Act – Are you ready for January 2020?

Posted on July 18, 2019July 18, 2019

The CCPA will take effect on January 1, 2020- Are you ready?

Like Europe, California has been trying to pass updated data protection for many years now. While the General Data Protection Regulation came into effect on May 27^th, 2018, to a lot of media attention & speculation. The road to rolling out the California Consumer Protection Act (CCPA) has not been as smooth and attention-grabbing.

Continue reading “California Consumer Privacy Act – Are you ready for January 2020?” →

GDPR One Year On: End of the Era of Leniency

Posted on May 21, 2019May 22, 2019

Is the measured, constructive period over? Will year two bring about a more enforced GDPR?

We are now nearly a year on since the General Data Protection Regulation (GDPR) was brought into law by the EU on May 25^th, 2018. Though only implemented in Europe, its effects have been far-reaching around the globe.

Continue reading “GDPR One Year On: End of the Era of Leniency” →

Unstructured Data and the Not for Profit Sector

Posted on May 7, 2019May 8, 2019

Are you drowning in vast amounts of data and not sure where the lifebuoy is?

Unstructured data is like the deep ocean, very much an unknown, difficult to view, access and a large proportion unused. Organisations are in unchartered waters when it comes to managing risks, fulfilling personal information requests (PII’s) or data subject access requests (DSAR) under GDPR.

Continue reading “Unstructured Data and the Not for Profit Sector” →