South African businesses often need help in managing their information through the entire information life-cycle – from creation to use to disposition and also adhere to stringent regulations. To this end, Iron Mountain recently launched a cloud-based retention and privacy policy management platform solution to assist them. Ryan Noik speaks to Takalane Khashane - Managing Director Country Head SA of Iron mountain, about data compliance, regulations and how technology can assist.

What was the impetus behind launching the Policy Centre solution?

Much of the personal information that is kept by organisations is in the form of data stored in databases or systems, and the rest will be in the form of documents or records.  Managing these correctly is imperative under POPIA. Iron Mountain’s Policy Center solution is a cloud-based retention and privacy policy management platform that provides a user-friendly way for organisations to know their obligations and show compliance. With Policy Center, organisations can manage their information through its entire life-cycle – from creation to use to disposition.

By maintaining accurate document retention and privacy policies, it means organisations can keep their retention and privacy policies current and reduce the risk of fines. It also allows organisations to save on information storage costs by confidently disposing of information. Lastly, it offers quick access to what organisations need when they need it.

How difficult has it been for South African companies to adhere to data management compliance requirements?

The difficulties experienced by many South African organisations with regards to data management compliance requirements with an act like POPIA stems from many companies adopting a wait-and-see approach before the act was enacted. Organisations had several years to prepare themselves, their systems and processes for compliance.

Certain parts of POPIA came into effect as far back as 2014, when the whole act came into effect on 1 July 2021, some companies were not where they should be in their compliance journey. For example, according to an Iron Mountain market insights research, only 45% of organisations were well prepared for POPIA compliance, while 43% said they were somewhat prepared but could be more so and 5% said they weren’t at all prepared.

It is therefore imperative that organisations find standardised and clinical ways of ensuring internal compliance. This has to become part of company culture and all internal stakeholders need to understand the significance of being compliant. The Policy Center solution can assist in creating internal compliance. The solution offers an Adversary Services team with deep information governance (IG) expertise that will guide organisations through the process of creating or revamping their information management policies for records retention and data privacy. This will assist to standardise how organisations handle, manage and store data, developing patterns of behaviour that build company culture over time. 

As I understand it, part of the challenge is that the rules keep changing. Can you explain why this is and is there any indication that it will stabilise in the near future?

We live in an increasingly digital-first world. New technological devices, services and solutions that interact with personal and business data are constantly being introduced into the market. It is common for the rules to change as ways of working change simulteounely. What makes compliance difficult for many organisations is they may lack the relevant knowledge and proper guidance through internal channels to align with data management acts.

Through Policy Center, organisations can overcome these challenges by getting access to expert guidance and tools to comply with POPIA and other data management regulations in South Africa and in markets they operate in across the globe. They will be able to continuously receive updated retention and privacy requirements to keep their policy management connected and dispose of information no longer needed.

How do automated tools fill in the gap in the meantime, so that organisations can respond to a constantly changing regulatory landscape?

Increasing privacy concerns and regulations like POPIA are elevating the need for privacy and retention to be managed together. Most organisations have a records retention schedule managed by the Records & Information Management department that governs policy for how long to keep all types of records, including records containing personal data. Separately, many organisations have a Privacy team that manages the privacy policy for records containing personal data. In some instances, these groups are under the same department, but in many cases, they are two siloes.

Increasing privacy concerns, news of high profile data breaches and heavy-hitting regulations such as POPIA are forcing these siloes to break down.

A solution such as Policy Center can assist in creating a single unified view of how to manage personal data according to policy, regardless of if the policy is being driven by retention or privacy requirements. This also allows organisations to meet the increased need to act on retention policy by disposing of private information as soon as possible so that it is not unnecessarily exposed to breach.

How does this affect organisations? Do they find themselves having to keep data for longer than they would have otherwise?

Not necessarily. Having organisations know where all sensitive data resides within their business is the first step in complying with strict data privacy regulations. By implementing an automated compliance tool that manages information through its entire life-cycle – from creation to use to disposition, places the organisation on the right trajectory towards compliance.  When added with a well-executed retention program, organisations can ensure that all information, especially personally identifiable information (PII), is disposed of as soon as it is no longer needed for business, legal or regulatory purposes.

If so, what impact does that have on the business financially and in other ways, i.e.., impacting on time that could otherwise be spent on innovation?

Policy Center offers organisations a single automated place to know their obligations and show compliance. Clients receive a feed of continuously updated retention and privacy legal citations based on where the company operates and the types of law required to support their retention and privacy policies.

After reviewing the updates, companies can authorise to automatically map the updated requirements into their record class structure and update their retention rules and privacy obligations accordingly. They also have the option to have Iron Mountain’s Advisory Services team monitor and map their updated citations on their behalf. They can then publish the updated retention rules and privacy obligations for the organisation to follow.

Such automated processes are much more cost-effective. Manual compliance processes keep organisations spending time and resources tracking regulatory changes instead of focusing on more strategic initiatives. Automated processes allow organisations to save on information storage costs, reduce unnecessary exposure to data breaches and reputational damage, reduce the effort of responding to privacy requests and reduce the risks of fines, which all impact the bottom line.

Can you also speak about the impact that solutions like Iron Mountain’s Policy Centre is intended to have on employees and people in general? How will it help them?

Adhering to privacy regulations for organisations is more than procedures and processes. It requires a culture where compliance is a central and permanent part of organisational culture. But this is challenging to achieve when the rules are constantly changing, and organisations lack automated tools to enable employees to understand what’s required of them across all geographies and industries in which the business operates. Iron Mountain’s Policy Center allows employees to have a firm grasp on compliance regulations by access to managed up-to-date retention guidelines from around the world that are researched, curated, and vetted by legal experts within specific industry verticals and countries.

When employees are empowered and privacy is part of an organisations’ systems and technologies, it starts to create a compliance culture that protects privacy by default while enabling the organisation to maximise on the data collected. It also creates a shared understanding of how personal data can and should be utilised by the appropriate employees to support broader strategic business objectives.