Data Access Governance

Data Access Governance: Closing the Compliance Gap in Public Sector IT

• Kyxis Technologies
• 22 May 2025
• 9 min read

Ask any IT manager in a South African government department or state-owned entity: "Who has access to your sensitive data right now?" Most cannot answer with confidence. Active Directory groups grow organically over years. Stale accounts from departed employees persist. Shared drives accumulate sensitive documents that should never have been shared outside a single team.

This is the data access governance gap — and it represents one of the most significant compliance risks facing public sector ICT environments under POPIA. Kyxis Technologies implements Netwrix-powered Data Access Governance (DAG) frameworks to give organisations full visibility and control over who can access what — and who actually has.

The Compliance Imperative

The Protection of Personal Information Act (POPIA) requires responsible parties to implement appropriate technical and organisational measures to protect personal information from loss, damage, or unlawful processing. This includes:

• Access Controls: Restricting access to personal information to authorised persons only
• Audit Trails: Maintaining records of who accessed or modified personal information
• Least Privilege: Ensuring users have only the access required for their specific role
• Data Minimisation: Identifying and removing unnecessary personal data from shared environments

Without a formal Data Access Governance programme, demonstrating compliance with these requirements — to an Information Regulator or internal auditor — is extremely difficult. The evidence simply does not exist.

What Netwrix Delivers

Kyxis Technologies is a Netwrix partner and deploys the Netwrix Data Security Platform to deliver DAG capabilities including:

• Data Discovery & Classification: Automatically locating and classifying sensitive data across file servers, SharePoint, OneDrive, and cloud storage
• Access Rights Auditing: Providing a clear view of who has permission to access every data store — and whether those permissions are appropriate
• Activity Monitoring: Logging all access, modification, and deletion events for sensitive data in real time
• Stale Access Review: Identifying accounts and permissions that are no longer needed and should be revoked
• Alerting & Response: Generating alerts on suspicious access patterns, such as mass file access or access outside working hours

"You cannot protect what you cannot see. Data access governance starts with complete visibility — who has access, who is using it, and what they are doing with it."

— Kyxis Technologies Data Practice

Insider Threat Mitigation

Industry data consistently shows that insider threats — whether malicious or accidental — account for a significant proportion of data breaches in the public sector. Employees with excessive access permissions represent both an accidental exposure risk (sending a document to the wrong recipient) and a deliberate exfiltration risk.

A well-implemented DAG programme reduces this risk by:

• Removing access to data that employees no longer need for their current role
• Detecting unusual data access behaviour before significant damage occurs
• Creating an audit trail that supports both disciplinary proceedings and regulatory reporting
• Enabling rapid response to suspected insider incidents through forensic-grade activity logs

Conclusion

Data Access Governance is not a luxury — it is a foundational security and compliance capability that every South African public sector organisation must prioritise. Kyxis Technologies delivers proven DAG implementations using Netwrix technology, giving your organisation the visibility, control, and audit evidence to meet POPIA obligations and protect against both external and internal threats.

Related Services & Solutions

• Tags:  
• POPIA
• Data Governance
• Netwrix
• Compliance

More Insights

Discuss This Topic

Want a POPIA readiness assessment or DAG proof-of-concept?

Get in Touch