Survey participants admit to being in dark about POPI

Read time 4min 30sec
South African businesses are in for a rude awakening once POPI takes effect.
South African businesses are in for a rude awakening once POPI takes effect.

Half of organisations surveyed in ITWeb's online survey admit to being ill-prepared for the looming implementation of the Protection of Personal Information (POPI) Act.

The survey was conducted by ITWeb in partnership with enterprise information management services company OpenText, to find out how ready organisations are to comply with POPI and the EU's General Data Protection Regulation (GDPR).

Run from 19 to 27 March, the survey captured a cross-industry sample of 108 responses from professionals working at all levels: executive managers, operational managers and IT staff.

It revealed that most respondents were still in the dark about POPI compliance requirements and are not sure how to adequately prepare for the implementation of the Act.

When asked how well versed they are about POPI compliance requirements, 50% said they were not clear what steps they are required to take in preparation for the Act, while just over a third (31%) were not sure how they needed to prepare. Another 13% admitted to requiring someone to assist them to meet the POPI compliance requirements.

POPI attempts to bring SA in line with international standards for the collection, recording and storage of personal information.

While the Act was signed into law on 26 November 2013, it is not yet fully operational. Once implemented, POPI is expected to change the way businesses approach the protection of customer, employee and stakeholder information, through the regulation of how the data is processed.

Around 44% of respondents said they were unsure of the required time frame given to report a data breach to the Information Regulator, while 40% said 72 hours, and 15% said organisations had to report a data breach within 12 hours.

Where there are reasonable grounds to believe the personal information of a data subject has been compromised or acquired by any unauthorised person, POPI stipulates organisations have to report a data breach to the Information Regulator as soon as reasonably possible, after the discovery of the compromise.

Established by the South African government in 2016, the Information Regulator was one of the conditions set to function in accordance with the POPI Act and the Promotion of Access to Information Act. It has extensive powers to investigate and fine firms that don't comply up to R10 million.

While 64% said their company has a strategic plan to meet POPI requirements, 19% were unsure and 18% admitted to not having any plan in place.

Furthermore, a third of respondents were not sure if they were compelled to comply with the GDPR, which went into effect on 25 May, and just over half (51%) acknowledged they had to comply, while 20% were unsure.

Non-compliance consequences

Okyerebea Ampofo-Anti, partner in the commercial litigation department at law firm Webber Wentzel, says South African businesses are in for a rude awakening once POPI takes effect.

Ampofo-Anti believes the lack of awareness of cyber security threats in SA means the first sanctions from the Information Regulator will have dire consequences for those involved, as too little is being done in preparation for the full implementation of the POPI Act.

"The most important aspect of POPI from a cyber security point of view is condition number seven, which deals with security safeguards. Not only does it place a burden of responsibility on the so-called responsible party, to ensure the integrity and confidentiality of the personal information in its possession, but it also ultimately requires you to be proactive, to identify the reasonable foreseeable internal and external risks, to establish and maintain appropriate safeguards," she explains.

Content management

The POPI Act states that all collected and stored information must be captured accurately, and there must be measures in place that safeguard it. Experts advise companies to use content management systems, aimed at organising, facilitating and securing content, to make it easier to meet POPI's stringent security requirements.

Around 40% of respondents said their company has a content management solution or initiative for the organisation, 21% were unsure and 18% did not have one.

When asked if their organisation is able to identify and locate unstructured data (information from e-mails, voice recordings and social media) in real-time, 66% answered yes and 20% said no.

Lenore Kerrigan, country sales director at OpenText, says information management programmes, whether initiated for strategic business objectives or compliance requirements, provide an opportunity for organisations to focus on driving value from large volumes of information.

Kerrigan warns that if an organisation cannot provide reliable, trusted and protected data to meet POPI requirements, there will be consequences.

"The reputational damage of a single serious data breach or infringement may have devastating effects on an organisation, not to mention the financial impact of fines that may be administered."

Have your say