To-do list in preparation for POPIA compliance
With time running out for compliance with the Protection of Personal Information Act (POPIA) next year, too few South African organisations are fully prepared to comply.
This emerged during a webinar on POPIA readiness hosted by KnoweBe4 Africa in partnership with ITWeb this week.
Anna Collard, SVP of content strategy & evangelist for KnowBe4 Africa, said KnowBe4 research had found that the majority of South African decision makers were aware of POPIA, but as many as 48% believed they should be better prepared to comply. Only 30% believed they were well prepared, and the rest had only just started preparing or were not prepared at all. Across respondents, the top concerns around POPIA compliance included data breaches, fines, complexity of compliance, not being ready in time and compliance making business more difficult.
South African organisations need to be educating staff, identifying personal information assets, tightening technical controls, updating contracts and conducting impact analyses.Anna Collard, KnowBe4
Echoing the research results, a poll of webinar participants found that only 11% felt they were well prepared for POPIA compliance, 55% said they were somewhat, but should be more prepared, 27% said they had just started preparing, and 5% said they were not at all prepared.
“Whether compliance will be enforced and penalties incurred for breaches remains to be seen, but companies should be erring on the side of caution and ensure that they are not negligent,” said Collard. “It will probably be more of a self-regulation process, with consumers and victims themselves likely putting pressure on the regulators to act in the event of a breach. The regulators aren’t there to penalise companies – POPIA is there to make sure that companies are not negligent.”
In preparation for POPIA compliance, South African organisations need to be educating staff, identifying personal information assets, tightening technical controls, updating contracts and conducting impact analyses, she said.
“KnowBe4 recommends that organisations start their journey by conducting a data mapping exercise in partnership with the process owners. You cannot protect data or implement any privacy principles unless you know what data you process, where it is, and how it is processed. You also need to get a full understanding of your organisation’s risk tolerance and compliance requirements.”
Organisations should also assign a data protection officer or team to be accountable for the privacy programme and to drive processes such as staff awareness and training, updating customer and vendor privacy agreements and implementing data loss prevention solutions. “Organisations should be aligning with frameworks such as the ISO 27 000 series,” she said.
It is also important to instil a security culture in the organisation, but security culture is defined differently by different organisations, Collard noted.
In a poll of how they define security culture, 42% of webinar participants said awareness and understanding of security, 22% said security advocacy and executive support, 27% said embedding security into the organisation, and 6% said compliance to security policies.
Collard concluding with listing the seven dimensions that can be used to measure security culture:
3. Cognition and awareness
7. Responsibilities and accountability.