Menu

Data management

Our data is one of our most valuable assets, and we have kept up to date with best data management practices since our first data warehouse was built in 2008.

In South Africa, POPIA became effective on 1 July 2021. In the UK, our operations are subject to the European Union's General Data Protection Regulation Act. Both pieces of legislation aim to ensure that all institutions act responsibly when collecting, processing, storing and sharing personal information. While this requires wide-scale changes across the Group, the upside is that our customers will have a high level of comfort that their personal information is managed securely and responsibly.

Cybercrime continues to increase in prevalence and severity, requiring robust measures to manage this threat to operational resilience, and secure our information assets and reputation. The threat affects all aspects of our information management systems – from the basic documentation processes in dealerships and branches to all the devices used every day throughout the Group as well as our core network and server infrastructure. Remote working due to COVID-19 has required additional interventions. As the digitisation of the automotive industry increases in pace, cybercrime trends are expected to intensify.

What we are doing

POPIA compliance

We take appropriate measures to protect the confidentiality, integrity and availability of our information assets. Our employees are subject to a duty of confidentiality.

We adopt an integrated and holistic approach to addressing POPIA requirements; not only in how we collect, manage and secure personal information but also in ensuring that our employees and representatives have the right level of access to the information they need to do their work and meet customer expectations. We have leveraged our data protection experience gained in the UK to identify the business process changes needed within the various businesses to meet the Act's requirements. The POPIA working group determines the action plans needed to drive change, and acts as a mechanism to share learnings across businesses in the Group.

Cybersecurity

Our Group-wide cyber resilience and data framework aligns with international standards and best practice, including salient POPIA requirements and the General Data Protection Regulation Act rules.

Our comprehensive security solutions and tools include cyber-threat analysis, vulnerability assessment, end-point detection and response capabilities, user access management and integrated incident response procedures. We balance the appropriate security rules and infrastructure for each individual business, leverage Group knowledge and processes, and include the risk and audit functions in our cyber-related efforts.

Strategies are in place to manage data leaks (particularly customer personal data), web security and data backup and recovery (systems and data restoration capability to ensure business continuity and prevent further exposure). We work with technology and financial partners to develop integrated data security solutions and reduce cyber risk for our customers and businesses; this includes an external partner review of our IT security measures in relation to best practice. A 24/7 incident detention and alerting capability supports timely response to suspected cybersecurity incidents. Having comprehensively assessed our cyber risk strategy, we have secured cyber risk insurance cover for the businesses where it is most applicable.

A critical element of securing our systems and data is employee behaviour. Throughout the Group we have increased our training and awareness on data privacy and information security policies, standards and practices. Our people also have access to cybersecurity guidelines.

How we measure our performance

In Financial Services, where the protection of customer and financial information is most critical, we measure the maturity of our cybersecurity capabilities against the National Institute of Standards and Technology (NIST) Cybersecurity Framework1. The framework's five critical capability domains include cyber risk management and oversight, threat intelligence, cybersecurity controls, cyber incident response and external dependency management. Capabilities in each domain are assessed quarterly and consider prevailing industry and regional conditions and threats. Additional operational security measures include continuous vulnerability assessments, periodic network and application security testing, event monitoring and incident tracking.

Governance of data management.

2021 performance and looking forward

Group

  • We made satisfactory progress on increasing our IT monitoring and controls.
  • There were no incidents of non-compliance with data-related regulations and/or voluntary codes during the reporting year; however, computers were stolen during the July 2021 riots.
  • Objective: ensure proper oversight of business segment IT functions and Group-wide adherence to governance policies and frameworks as well as applicable legislation.
  • Objective: maintain mature security practices with appropriate risk management actions.

Business specific initiatives and highlights

South Africa
  • Completed an external IT audit, accelerated our investment in cybersecurity measures, customised security frameworks per business segment based on the Group cyber resilience framework and improved cybersecurity awareness, educating employees on new cybersecurity risks.
  • Security for remote working practices is aligned to Group policy. Call centre personnel and back office employees are fully enabled to work from home, connecting securely to the office networks and systems.
  • We will continue to enable new processes to maintain compliance with POPIA requirements and best practice IT governance, including continuous awareness raising initiatives to enhance data handling behaviour.
  • Financial Services met the target to achieve a maturity level of between 80% and 90% for all five critical cybersecurity capability domains by March 2021. Going forward, the business segment will continue to use digitisation to protect the confidentiality, integrity and availability of information assets, and maintain the maturity levels for all five cybersecurity capability domains.
UK
  • In the UK, we are implementing further encryption measures, including multi-factor authentication. In F2021, we launched a cybersecurity training programme targeting over 2 000 employees and developed additional IT security policies.
  • Over the medium term, we will ensure data is classified correctly and secured according to this classification, and we will implement cloud storage.

1The NIST Cybersecurity Framework is a globally accepted standard for cybersecurity (ISO27001).

Protecting personal information

POPIA is designed to promote the protection of personal information and to bring South Africa's privacy laws in line with international standards. We have adopted a 'privacy by design' approach, which is to embed good privacy practices into the design specifications of new and existing systems and business processes.

Compliance to POPIA requirements provides numerous opportunities, among them being improved data management, reduced cost through a reduction in data stored, improved returns on direct marketing by only targeting customers who have given consent, and building trust with customers who can take comfort that their data is responsibility stored and used. Importantly, the privacy impact assessments conducted on our systems as part of our POPIA implementations also enhanced our cybersecurity, providing a clear view of data flows and the data landscape. POPIA will have no impact on customer experience or our financial results.

Training and awareness on POPIA is being delivered through various internal platforms, and is designed to increase awareness about the Act, its application and employee accountability when processing personal information. Between June and August 2021, biweekly awareness emailers were sent to all Motus employees under the banner of 'Think Privacy' and gong forward posters will be displayed at all Motus sites. A fully updated Promotion of Access to Information Act Manual was rolled out across the Group and is available on all relevant websites. The manuals provide users with a form to request access to our records and the terms and conditions associated with such requests (http://paia.motus.co.za).

At year-end, the following had been accomplished to meet POPIA requirements:

  • An Information Officer has been appointed at Motus Holdings level, and five Information Officers appointed across the business segments. All Information Officer registration forms were submitted to the Information Regulator and the appointed individuals' applications have been approved.
  • 15 policies, procedures, guidelines and standards were approved and implemented, including system changes.
  • A new employment contract template was developed and thousands of contracts reviewed for compliance.
  • Data classification frameworks are being rolled out along with privacy impact assessments in business segments.
  • Reviews of supplier contracts are underway to ensure our customer data is protected.