Data security laws mandate that organisations implement adequate safeguards to ensure the protection of company and personal information, especially when it comes to the disposition of redundant IT assets. This is according to Xperien CEO Wale Arewa.
As data security is the biggest driver of IT Asset Disposition, there are many regulations to consider such as Protection of Personal Information Act 2013 (PoPI 2013), the National Environmental Waste Management Act 2008 (NEMWA 2008), Consumer Protection Act 68 of 2008 (CPA) and King IV.
King IV Code requires that all governing bodies must ensure that their organisations are protecting the privacy of personal information. It requires disclosure of the status of lawful processing of personal information in the annual integrated reports.
Prof Mervyn King stated the overarching objective of King IV is to make corporate governance more accessible and relevant to a wider range of organisations, and to be the catalyst for a shift from a compliance-based mindset to one that sees corporate governance as a lever for value creation.
Although IT governance was first dealt with in King III, the scope has expanded considerably and much more emphasis has been placed on information and technology governance in King IV.
As with the other practices, the King IV Code requires an explanation of how the recommended practices have been implemented and how these achieve or give effect to the principle and the achievement of the governance outcomes expected by the stakeholders.
The King IV approach puts the emphasis on the outcome envisaged by the principle and allows for flexibility of application. The governing body is required to oversee the implementation of the recommended practices or the alternative practices, and ensure that these practices achieve or give effect to the principle and the overarching governance outcomes.
The PoPI Act regulates how companies handle, keep and secure personal information and was already signed into law three years ago. With the appointment of the Information Regulator, companies urgently need to upgrade their information technology security systems ahead of the implementation of the Act.
As one of the aims of the PoPI Act is to provide persons with rights and remedies to protect their personal information, some of the organisation’s stakeholders will be interested in knowing how the organisation protects the privacy of personal information so that they can make an informed assessment of the quality of the governance being applied to the processing of personal information.
Consequently, it is important that governing bodies oversee the adequacy of the disclosure in the organisation’s annual integrated report (or an accessible part of another report) and check that management has provided a sufficiently detailed explanation that goes beyond being mindless compliance.
One could summarise King IV as ‘transparency’, it builds on its predecessors’ positioning of sound corporate governance as an essential element of good corporate citizenship. Good corporate governance requires an acknowledgement that an organisation doesn’t operate in a vacuum, but is an integral part of society and therefore has accountability towards current and future stakeholders.
King IV reinforces the notion that good corporate governance is a holistic and interrelated set of arrangements to be understood and implemented in an integrated manner. It asks for mindful application of the King IV Code and for its recommended practices to be interpreted and applied in a way that is appropriate for the organisation and the sector in which it operates.
Organisations need to revisit their IT governance frameworks, charters, and policies. They should be transparent on various aspects including management of information and technology and remedial action that will be taken when major incidents occur.