Despite the one-year grace period clarifying the fundamentals of the POPI Act, many businesses remain uncertain about its requirements.
A recent POPI Act survey conducted by ITWeb in collaboration with Backup Storage Facilities shows a large percentage of respondents (69%) stated they are indeed aware of the possible consequences of non-compliance to the POPI Act.
Although more than half of the respondents are aware of the potential consequences of failing to meet the terms of the POPI Act, the results were more evenly split when respondents were asked if they know exactly what the POPI Act requires from their business, with 28% saying no, and 27% unsure.
"The problem being is that there is a vast amount out data to sift through to get to the answer of what is required by organisations to put in place to become compliant," says Beate Ungerer, Sales Manager at Backup Storage Facilities, commenting on the results of the 2017 POPI Act Survey, which ran online during February and March this year.
Ungerer goes on to say that organisations should employ or take on the service of a professional in this field.
"There are a large variety of companies that will come in and provide a professional evaluation and assist with all that is required by the companies to be POPI Act compliant," she says.
ecurity vital for backups
The survey research also found that an overwhelming majority (83%) of respondents believe the site where their organisation's backups are stored is indeed secure.
Elaborating on this finding, Ungerer advises that the security of backups is vital and goes on to say, "the amount of damage that can be caused through data being available to all may lead to hacking, and is open to anyone with a grudge or vendetta against the company, industrial espionage and being held to ransom."
The survey revealed that a third of respondents (33%) indicated they are currently using a service provider for the destruction of their records.
This finding makes sense to streamline the practice of records elimination and Ungerer points out that cost, space and not having to employ someone to do the job are benefits of outsourcing this service.
"A reputable service provider issues a certificate and in some cases they record the destruction and supply a copy as proof for auditing purposes of the company," she further advises.
Another key finding is that just over half of the respondents (55%) cited that the POPI Act does not affect what medium they back up to, while 42% believe it does.
"The only thing that needs to be ascertained is that the back-up medium must be safe. Whether it is cloud, tape, hard drive, are they secure and unhackable? There are many examples of even the most secure sites being hacked."
Ungerer closes comment on this point by saying the question needs to be asked whether an organisation can survive being hacked. She adds there are many examples of this, from the US government to large banking institutions.
Surprisingly, though, when asked if the respondents knew whether their organisation was POPI compliant, 19% answered no, 21% said yes and 26% were unsure.
According to Ungerer if it is law, it has to be complied with and large companies that have the resources can employ full-time compliance officers who are familiar with the requirements of the act.
"Well-known auditing and accounting firms, plus a large number of companies offer a service, at a price, to assist in you becoming compliant. It can be costly for medium to small companies to implement the requirements," she notes.
It's not surprising that a large percentage of respondents (79%) are aware of the vulnerability that possible hacking can have on their choice of backup medium.
Ungerer says: "Decide on the most important data that needs to be safeguarded and what level of safety is needed. Your vital accounting info, employee record etc.... Store the data on a non-hackable medium, removable tape, disk etc."
The results were pretty much evenly split when asked if anonymity of a service provider is a factor that the respondents consider. Fifty-six percent answered yes and 45% said no.
"It is more a point of inquisitiveness in that do people have the same view as us. We have from our inception never branded a vehicle, due to the fact that we took into account, industrial espionage, malicious intent, and the possibility that thieves could get hold of data and hold a company to ransom."
Ungerer points out that there has been a large shift over the years to different mediums of backing up and data storage units.
"That is our core business, we can advise the best backup solution for business and provide a host of services around that, such as destruction, secure transport, backup cloud solutions, etc. We can refer clients to different organisation who will assist in compliance issue and what is needed, but for us we are only interested in your backups, the safest most cost-effective way for a business to store and retain these records," Ungerer concludes.
Share