SURVEY: Becoming POPI Act compliant
Despite the long grace period given to SA businesses to get ready to comply with the Protection of Personal Information Act (POPI Act), many remain uncertain about its requirements.
In a recent POPI Act compliance survey conducted by ITWeb in collaboration with Backup Storage Facilities, close to 70% of respondents said they were aware that noncompliance could result in a fine or even jail term.
However, less than half said they know exactly what the POPI Act requires from their business, with the remainder not knowing or being unsure.
"There's a vast amount out data to sift through to get to the answer of what is required by organisations to put in place to become compliant," says Beate Ungerer, sales manager at Backup Storage Facilities, commenting on the results of the survey, which ran online during February and March this year.
Ungerer advises organisations to employ or take on the service of a professional in this field, who will provide a professional evaluation and assist with all that's required by the companies to be POPI Act compliant.
When asked whether their organisation was POPI compliant, only 21% answered 'yes', 19% answered 'no', and 26% were 'unsure', while 35% were 'in progress of getting their house in order'.
"Well-known auditing and accounting firms, plus a large number of other companies offer a service, at a price, to assist in you becoming compliant," says Ungerer. "It can be costly for medium to small companies to implement the requirements."
Security vital for backups
The survey also found that the majority (83%) of respondents believe the site where their organisation's backups are stored is secure, with access control.
Elaborating on this finding, Ungerer advises that the security of backups is vital and goes on to say, "the amount of damage that can be caused through data being available to all may lead to hacking, industrial espionage and being held to ransom, and is open to anyone with a grudge or vendetta against the company."
A third of respondents indicated they're currently using a service provider for the destruction of their records.
Ungerer points out that it makes sense to streamline the practice of records elimination and that cost, space and not having to employ someone to do the job are benefits of outsourcing this service.
"A reputable service provider issues a certificate and in some cases they record the destruction and supply a copy as proof for auditing purposes of the company," she adds.
Just over half of the respondents (55%) cited that the POPI Act doesn't affect what medium they back up to, while 42% believe it does.
"The only thing that matters is that the back-up medium must be safe. Whether it is cloud, tape, hard drive, the question must be: are they secure and unhackable? There are many examples of even the most secure sites being hacked."
Furthermore, the question needs to be asked whether an organisation can survive being hacked. She adds there are many examples of this, from the US government to large banking institutions.
It's not surprising that a large percentage of respondents (79%) are aware of the vulnerability that possible hacking can have on their choice of backup medium.
Ungerer advises: "Decide on the most important data that needs to be safeguarded and what level of safety is needed. Your vital accounting info, employee record and so on. Store the data on a non-hackable medium, such as removable tape or disk."
When choosing a backup service provider, service and reliability are twice as important as price.
Over 60% of participants prefer an online storage medium, while 36% opt for a physical medium.
Ungerer points out there has been a large shift over the years to different mediums of backing up and data storage units.
Besides providing the most suitable backup solution - the safest, most costeffective way for a business to store and retain their records for business - a service provider must offer a host of other services around that, such as destruction, secure transport, backup cloud solutions and more, Ungerer concludes.
Anout the survey
The 2017 POPI Act Compliance Survey was run online on ITWeb for a period of two weeks in February to gain insight into the POPI readiness and backup practices of SA organisations, in particular:
1 The state of readiness and awareness of the PoPI Act requirements;
2 How organisations are currently secure their data;
3 What is most important when choosing a backup service provider.
* A total of 265 responses were received for the POPIA Compliance Survey.
* 31% of respondents are CEOs or MDs and 32% middle management.
* 7% of survey respondents are from fairly large companies with between 501-5000 employees and 13% are from multinationals with over 10 000 employees.