Guidelines for organisations struggling with POPI compliance
The Protection of Personal Information Act (POPI) has created the requirement for business to deal with and protect personal information in a specific and prudent way. "POPI is by no means new, yet we still find that many organisations of various sizes are battling with compliance," says Anne-Mari'e Pretorius from consulting firm Bizmod.
Russia has the highest level of cyber crime victims at 92%, followed by China with 84% and then alarmingly South Africa at 80%*. "In South Africa cyber crime has become a national crisis as data breach risks are growing and South African businesses are unprepared for the growing risk of cyber attacks," says Pretorius.
"Many organisations struggle to implement the intent of the Act in a practical way that does not hamper the day-to-day running of the business."
At the centre of any compliance implementation is the ability to interpret legislation into practical guidelines or interventions, which will enable businesses to comply at a process, systems, people and data level.
"We find that legal interpretation of the legislation impact is dealt with at a high-level with management failing to provide support in unpacking, analysing and interpreting the specific impact and remedies," says Pretorius.
The 2015 Information Security Breach Survey, undertaken by PwC, showed that 90% of large organisations reported suffering a security breach in 2015. It found that 59% of employees steal proprietary corporate data when they quit or are fired and 68% of funds lost as a result of a cyber attack were declared unrecoverable. The average time to detect a malicious or criminal attack by a global study sample of organisations was 170 days.
Pretorius provides these guidelines for organisations struggling with compliance and data breaches:
* Analyse the primary facing unit, operational and application areas, while structuring the various work streams including process analysis, contracting, people change management and systems.
* Conduct a gap analysis by converting the POPI Act into key questions. Standardise this across the impacted areas and create a heat map of impact.
* The heat map of impact enables the organisation to identify impact across the dimensions of business areas and implement POPI-compliant business processed and controls within the organisation.
* Enhance operational systems, controls and technologies to support compliance thereby bringing about compliant business solutions.
* Establish programme education throughout the organisation with training, awareness and change activities that raise sensitivity and understanding of the POPI Act.
* Recruit a permanent employee to fulfil the role of Privacy Officer. This allows for a permanent business-as-usual capability, allowing for sustainability.
"The POPI act creates significant impact on business as complying with it requires changes of most processes and systems which then have a direct impact on employees' behaviour. The organisation is accountable for overseeing their POPI compliance and therefore it needs to identify and design pragmatic steps and interventions for sustainable results," concludes Pretorius.
*Norton's 2012 Cybercrime Report