While the majority (62%) of local organisations consider the Protection of Personal Information (PoPI) Act a high priority, just over a third (32%) understand its implications.
This is according to an online survey conducted by ITWeb in partnership with network and end-point security firm, Sophos, to find out how ready local organisations are to comply with PoPI.
The survey results raise concerns about how ill-prepared some local organisations are to meet compliance requirements of the ACT.
Only 28% of respondents admitted to knowing only the "basics" of what PoPI will mean for their organisation.
PoPI aims to bring South Africa in line with international standards for the collection, recording and storage of personal information.
While the Act was signed into law on 26 November 2013, it's not yet fully operational. Once implemented, PoPI is expected to change the way businesses approach the protection of customer, employee and stakeholder information, through the regulation of how the data is processed.
Unprepared
Once the PoPI implementation date takes effect, a grace period of one year will start running.
This means the Information Regulator will only enforce PoPI one year after the commencement date.
When asked how ready their organisation was to meet the PoPI Act deadline requirements, only 10% of respondents were ready to comply, while just over a third (33%) said they will probably be ready to comply by the time it comes into effect. Another 8% said they are not likely to be ready to comply with PoPI on time.
This means that more than half of the organisations surveyed have not put the right processes and tools to protect their personal data, which further suggests they may have to pay heavy fines of up to R10 million to the supervisory authority in cases where non-compliance is discovered.
Pieter Nel, regional manager for Sophos South Africa, explains: "High priority in terms of PoPI compliance should translate to readiness of the organisations. If there isn't a concrete plan of action, organisations will lag behind. Unfortunately, in terms of data breaches, nobody knows when it can strike and to whom."
When asked what are the main reasons for not implementing the PoPI compliance requirements, just under half (45.3%) cited lack of either time or adequate staff as a major factor, almost a third (27%) cited lack of awareness from key decision makers and 18% said lack of financial resources.
Data protection
The PoPI Act specifically states that organisations must implement appropriate technical and organisational measures, to ensure the 'pseudonymisation and encryption of personal data'.
However, when asked about their organisation's state of data protection, almost a third (29%) said they already encrypt all their personal data, 24% admitted to not encrypting their data, but said they have plans to do so in the next six months. Only 17% said they encrypt all their personal data.
Nel explains: "The best way to prepare for PoPI is to implement a solid data protection strategy that guards against loss of data, whether through malicious or accidental methods. Creating a data protection strategy can be a daunting process, especially if it hasn't previously been a focus area for organisations. Securing against major threats that cause data breaches is a great place to begin."
Only 65% of respondents have an internal data security policy in place, while 8% do not have one.
Employee training
When asked if their organisation has a formal education plan to educate employees about how to adequately handle personal data, 25% said no, but they are working on one.
According to law firm, Michalsons, the PoPI Act requires that 'appropriate and reasonable' measures be taken to protect information from loss, damage or unlawful access.
This requires companies to provide training to help employees understand what those measures entail.
Nel continues: "Even if organisations don't have dedicated PoPI teams, we would recommend that there should be some ownership and responsibility to make the organisation PoPI compliant.
However, without a clear understanding there will always be some lapse in PoPI implementation. Even if an organisation outsources it to a third party, it's crucial that the organisation has a deep internal understanding of the PoPI Act and its influence on the organisation.
Share