POPIA - SA’s hot potato
A large percentage (45.1%) of organisations claim to be well prepared to comply with the Protection of Personal Information Act (POPIA), and were so even before the legislation was enacted, but there are definite challenges that lie ahead – with potential reputational damage listed as a major concern.
This is according to the Iron Mountain POPIA Readiness Survey, conducted in partnership with ITWeb, the findings of which were announced this week.
The survey was conducted before POPIA came into effect on 1 July 2021. It was taken by 397 professionals from the software and technology sector (19.9%), healthcare (6.5%), telecommunication (6%), education (5.5%), government (5.5%) and various other industries.
66% of respondents were executive (34%) or middle management (32%) levels, the remaining were IT (19.9%) and consultants (14.1%). The survey aided to gain insights into the current state of readiness for POPIA compliance amongst organisations in South Africa. Additionally, it examined how organisations approach Records and Information Management (RIM) and Information Governance.
The survey found that the majority of respondents, 45.1%, were well prepared for compliance, 42.6% were somewhat prepared but should have been more prepared, 6.5% didn’t know their state of compliance and 5.8% were not prepared at all.
According to Iron Mountain when it comes to data management, the reputational damage (58.9%) of been viewed as non-compliant was the primary concern for organisations and this drove them towards becoming compliant.
The complexity of becoming POPIA compliant (58.2%) was a major concern for organisations struggling to be compliant. This was followed by concerns over possible fines (45.1%) that can be imposed on them, staff awareness (42.6%) regarding data management and the hindrance of relying on physical data (21.2%).
Etienne Kruger, Risk and Compliance Manager at Iron Mountain South Africa said: “We must just remember POPIA aims to harmonise the data privacy laws in South Africa… it is more relevant in today’s world, especially since the COVID-19 pandemic has accelerated business’ dependency on technology and accelerated digitisation with employees working remotely. Businesses have no choice but to put data privacy at the forefront of their business models. With remote work, employers have less control over information handling which means more vulnerabilities and a higher risk for organisations.”
Remote on-boarding of new employees represents another layer of compliance risk, Kruger added. “Employers need to ensure that their training makes the new employees aware and familiar with the organisations information, retention schedules and handling policies. A fundamental aspect is the skills of employees, their management and effective use of the tools at their disposal. Employers need to ensure that every employee improves their current skills and upgrades their knowledge through training and the necessary resources whilst working remotely. South African companies are still heavily reliant on manual processes and POPIA places the burden of compliance on the entity’s handling this information.”
To ensure POPIA compliance, 62.2% of organisations that process data as a core activity had a compliance officer and over 50% of all organisations had measures and procedures in place to ensure compliance. These measures include the logging and monitoring of data processing and altercation of personal data (57.7%), records of processed activities that include the type of data collected and security measures to protect the information (57.1%), and procedures to delete personal data in the event of a “right to be forgotten” request (50.4%).
The type of compliance measures put in place were dependent on the organisations’ different digitisation maturity levels. 67.8% of organisations were at advanced (41.5%) and expert levels of digitisation (26.3%). 25.2% were at intermediate level and 7% had not started their digitisation journey.
“POPIA compliance comes down to organisations taking ownership of their database and personal information. Companies should ensure that employees in different departments understand the risks and steps needed to safeguard internal and external data. They should identify any possible gaps in their safeguards, understand where data is from and where it is stored, and companies need customer consent to use information for marketing purposes,” said Kruger.
Secure deconstruction and disposition of data are important for compliance
Securely storing data and personal information ensures compliance, the other recommended approach to information management is secure destruction and disposition. Over 70% of respondents had policies or procedures to safely and securely destroy information and reduce e-waste.
“Data is becoming more and more valuable to us as the days and months pass by. Companies need to ensure that their corporate and personal information is kept private,” said Kevin Akaloo, Head of National Sales, Iron Mountain South Africa. “You can never be too secure, no matter what you put in, someone will try to get passed it, so you are going to need to keep innovating and keeping your security up to speed.”
Whilst much depends on the industry in which a business is in, Iron Mountain believes overall more can- and should be done to enhance security and protection of information.
ITWeb reported that according to independent security expert Susi du Preez, African countries are lagging in enacting data protection laws, leaving citizens vulnerable to cyber attacks.
At last year’s ITWeb Security Summit in August, Du Preez compared the pros and cons of data protection and privacy legislation and the need for a global response, and said of the 54 countries on the African continent, only 17 have data protection laws in place.
Du Preez said: “There are 17 countries in Africa that have enacted comprehensive personal data protection legislation, namely: Angola, Benin, Burkina Faso, Cape Verde, Gabon, Ghana, Ivory Coast, Lesotho, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Tunisia and Western Sahara.”