On a recent trip to South Africa, where Symantec sponsored an event with PricewaterhouseCoopers (PwC) entitled The Protection of Personal Information (POPI) Drives Information Governance, customers and partners shared important insights. One major concern the attendees had was how they will comply with the newly proposed privacy legislation set to pass any day now.
POPI is the first comprehensive body of law addressing privacy in the country. Personal data is defined as a natural person’s name, date of birth, national identification number, passport number, health or credit information and other personally identifiable information. The bill has eight principles, each of which addresses aspects of how data must be collected, stored, processed, secured, expired and how access may be granted. This bill will apply to both public and private organizations and is driving the need for archiving, classification, eDiscovery, and data loss prevention technology.
Interestingly, the main motivator for purchasing eDiscovery technology will be the need for organizations in Africa to be able to conduct internal investigations to detect fraud. South Africa’s recent POPI legislation was crafted in order to address the age of digital information and the risks associated with it, but also to instill a level of confidence from the global economy in South Africa as a safe place to do business. A recent survey by Compuscan found that South Africa and Nigeria have the highest number of reported fraud cases in Africa. In addition, fraud related crimes have cost African businesses and governments at least $10.9 billion in 2011-12. Of the 875 reported cases, 40% of fraud perpetrators were in upper management.
Archiving the email of top management is a recommended best practice to address this fraud because it ensures that there will be a record of electronic communications should an investigation or lawsuit be necessary. Similarly, leveraging in-house eDiscovery and data loss prevention (DLP) technology enables investigators within the organizations to collect and analyze these emails in conjunction with other pertinent information to detect and even prevent fraud. To date, the majority of organizations in South Africa lack this kind of capability because they have not invested in technology.
Because corruption and fraud have been impediments to doing business in South Africa in the past, businesses and the government are taking steps to address these issues. Having the ability to conduct internal investigations will be a huge advantage for organizations looking to gain control over their information and those who commit fraud. PwC Partner Kris Budnik noted at the conference, “Many times when clients call me for an emergency forensic investigation, about 50% of the time in South Africa I cannot help them. The reason for this is that the clients are not keeping the appropriate information governance systems in place and not keeping log files. Many times when we go to collect evidence, none is there because it has truly been overwritten in the data environment due to poor information governance practices.”
Litigation does not appear to be the biggest factor for purchasing eDiscovery technologies and implementing workflows as one might expect. The reason for this is unclear, but may be related to a less aggressive litigation profile as compared to that of the U.S. Much of the discovery in South Africa that involves electronically stored information is printed, reviewed and produced in paper format. The concern over retaining relevant metadata and reviewing/producing data in the format data was originally created does not seem to be top of mind for litigators.
Litigators in South Africa are not taking advantage of the rich information in metadata to supplement their cases or to challenge opposing counsel’s claims/productions. Also of concern is the inability to deduplicate and sort data once metadata is removed. The reason for this is most likely because there have not been enough cases where lack of metadata has been challenged. With time, and as cross-border litigation increases, there will be more demand for eDiscovery technology in the traditional legal context.
The increase in privacy concerns and internal fraud investigations presents a compelling reason for investing in archiving, eDiscovery, and DLP technologies for businesses in South Africa. Many organizations are moving data to the cloud to streamline POPI related objectives faster and because outsourcing their infrastructure is very attractive to organizations that don't want to own the responsibilities of managing their information on premise. The main business drivers for cloud archiving in South Africa are: email continuity, cost and compliance.
It is interesting to observe how different countries and economies respond to technology and what drives use cases. The legal frameworks in each jurisdiction around the world vary, but the great equalizer will be technology. This is because whether it is privacy, litigation or fraud driving the information governance plan, the technology is the same.
Check out this article for more information on privacy legislation in South Africa.
Available soon: please visit our eDiscovery passport page for more information the legal system, eDiscovery, privacy and data protection in South Africa and other countries.