Only 34% of South African organisations ready to comply with POPI Act
* 77% of South African decision-makers admit their organisation will suffer reputational damage if fined for non-compliance with the POPI Act
* 30% of organisations have only the basic understanding of the act
Sophos, a global leader in network and endpoint security, issued the findings of a new study today that was commissioned to determine the state of POPI compliance within South African organisations.
The Protection of Personal Information (POPI) Act promotes the protection of personal information by public and private bodies and had been signed into law in 2013. It is expected to come into effect during 2019 after which organisations will have two years to comply.
The Sophos commissioned survey, which ran online with ITWeb during November 2018, revealed that only 34 % of survey respondents felt their organisation was going to be ready to meet the POPI requirements. This means that more than half of the organisations have yet to put the right processes and technology in place to protect personal data, which could see them having to pay heavy fines to the supervisory authority if the Information Regulator reveals non-compliance with POPI legislation.
The study further revealed that an overwhelming majority of respondents (77%) believe that their organisation will suffer reputational damage if fines for non-compliance were imposed. The reputational damage can be more damaging than the financial penalties, as it involves loss of goodwill and customer trust.
Pieter Nel, regional manager, Sophos South Africa, commented, "The best way to prepare for POPI is to implement a solid data protection strategy that guards against loss of data whether through malicious or accidental methods. Creating a data protection strategy can be a daunting process, especially if it hasn't previously been a focus area for organisations. Securing against major threats that cause data breaches is a great place to begin."
Other key findings of the survey include:
* Only 10% of respondents indicated that their organisation has a dedicated POPI team
* Two thirds of respondents felt they had a good understanding of the legislation, but almost 30% admitted to only a basic understanding of the act
* Over half of the respondents (62%) have placed a high priority on POPI within their organisation
Nel continues, "Even if organisations don't have dedicated POPI teams, we would recommend that there should be some ownership and responsibility to make the organisation POPI compliant. However, without a clear understanding, there will always be some lapse in POPI implementation. Even if an organisation outsources it to a third party, it is crucial that the organisation has a deep internal understanding of the POPI Act and its impact."
He concludes, "High priority in terms of POPI compliance should translate to readiness of the organisation; without a concrete action plan, organisations will lag behind. Unfortunately, in terms of data breaches, nobody knows when or where it is going to strike next, which is why being prepared is so important."
The survey can be viewed here: Sophos POPI Survey
In November 2018, ITWeb captured input from 180 South African organisations about their POPI compliance, their data protect strategies and approaches to cyber security.