Why is POPIA compliance proving so difficult?

Johannesburg, 09 Jun 2021
Read time 7min 10sec
Kevin Akaloo, National Sales Manager, Iron Mountain South Africa.
Kevin Akaloo, National Sales Manager, Iron Mountain South Africa.

On 1 July, the long-awaited Protection of Personal Information Act (POPIA) comes into effect, and although South African businesses have had years to prepare themselves, their systems and processes for compliance, there are still far too many businesses that have adopted a wait-and-see approach.

Kevin Akaloo, National Sales Manager for Iron Mountain South Africa, says: “Companies are struggling because they simply don’t know how to become POPIA compliant.”

Companies have had different reactions to POPIA: some companies were dismissive of it, others welcomed it and still others were sceptical. “Organisations need to find standardised and clinical ways of ensuring compliance internally; they need to make it part of the company culture in order to be compliant; and internal stakeholders need to understand the significance of being POPIA compliant.”

Akaloo believes there is room to create more awareness around POPIA in South Africa.

There are several obstacles, according to Akaloo. “They may lack the proper guidance, perhaps they don’t have the internal channels to assist them to align with POPIA. They may also lack the relevant knowledge required to manage compliance around the protection of the personal information that they hold.”

POPIA compliance has two other obstacles that impact the local market. “The first is how businesses manage and store data – a lot of South African companies are still storing paper documents. If data is stored on paper and kept in various places, it’s difficult to manage it and be compliant. The second aspect is the South African culture, where companies are used to storing data in traditional ways. There’s an aversion to technology owing to dependency on legacy storage and management systems.”

He adds that South Africans are generally reactive, rather than proactive, when it comes to implementing new systems and that’s why many companies are lagging behind on their compliance journey. “We’re seeing a lot of companies facing challenges around being POPIA compliant. There are three things that organisations may not be taking into account with regards to POPIA.”

Firstly, companies may be focused on protecting customer information, but neglecting internal protection for employees, such as the company’s HR files. POPIA addresses both internal and external protection of information, and many companies are not aware of that.

Secondly, there’s a general lack of knowledge on the governance of POPIA for companies.

Thirdly, companies don’t always make POPIA part of their internal culture.

“Compliance is traditionally seen from a risk perspective, with the business needing to manage data and prevent data breaches. However, it can also be approached from a customer experience angle, in terms of protecting their personal data. Companies can embrace POPIA to guarantee data protection for customers and use that as an asset to drive business opportunities by showing customers that the company takes responsibility, and their data will be safe, thereby creating trust among their customer base.”

However, should a breach occur, the business has a responsibility to disclose it, and this can have negative implications for the company and its brand. Akaloo is of the opinion that when companies disclose their breaches, it shouldn’t be a ‘name and shame’ exercise. “Each breach should be dealt with according to its merit and could possibly attract a hefty fine for the guilty party. The first step is for POPIA officials to give companies 14 days to remedy the situation. If nothing happens after 14 days, the relevant fines will be applied.”

He goes on to list the steps that companies should take to minimise the likelihood of a breach occurring:

  • Create an inventory and identify all types of data within the business;
  • Separate critical data vs non-critical data;
  • Have in scope where this data is being stored, who has access to it and on which systems;
  • Make sure POPIA retention periods are being honoured (for both physical and digital data);
  • Develop a policy to report any kind of data breaches; and
  • Develop a strategy for how to deal with all your data in the future.

Data privacy breaches are not just inconvenient – the cost to recover from them can be significant and the interruption to the normal flow of business substantial. By taking the steps outlined below, businesses can greatly reduce the risk of a data privacy breach to their business.

1. Store sensitive data securely

Removable storage devices, including thumb drives and CDs, should be kept with paper files in a secure area such as a locked cabinet, drawer or safe. Restrict access to these areas to only those who have the need for the information.

2. Create a comprehensive network security policy

Your network security policy should:

  • Ensure that all employees, partners and owners have a solid understanding of what data the business has and owns, and which of this shareable.
  • Specify changing the network password periodically while ensuring that no employees are saving the password on handwritten notes or computer files.
  • Feature standards for remote access to the network.
  • Remind employees of details of the policy on a regular basis to avoid an unintentional data privacy breach.

3. Use data protection tools

You can assume that any cyber thieves will be experts at finding weaknesses in your system. Installing and regularly testing encryption software is essential to protect data that is on a computer and being transmitted. You should also install a firewall to secure against unauthorised access between your network and the Internet. Solutions can be inexpensive or can cost thousands of dollars to protect highly sensitive data.

4. Conduct background checks

One of the main causes of a privacy data breach is workers, vendors or contractors. You should conduct a background check on anyone who needs to access your confidential information. You can then create levels of users within the network and assign appropriate access. Everyday tasks, like checking e-mails, should always be completed through a separate rights account than the one used for accessing confidential data.

5. Properly dispose of sensitive data

You cannot simply re-use or recycle equipment and documents without taking security measures. Papers containing sensitive data must be shredded and devices cleared of information. This may seem obvious, but improperly deleting data from computers and storage devices is a common mistake that can lead a hacker to uncover information you thought no longer existed.

6. Get insurance

Even if you have taken all of the above steps, you are never completely safe from a data privacy breach. Use a third party to build an insurance program that will protect you from the costs of cyber liability.

7. Develop an incident response plan

An incident response plan should include details about where and how confidential information is stored, how data is backed up, and who has access to the data. It should also feature a list of contacts whom you will need to notify immediately such as law firms, credit monitoring companies, forensic data experts and public relations firms. Responding quickly to an attack will help you get back on your feet as soon as possible and minimise the damages.

With less than a month before POPIA becomes effective, there is a sense that many companies are yet to be compliant from a technological, governance and processing of information point of view. “The best single piece of advice that I can give businesses at this late stage is for them to find specialists in the information management industry to assist in guiding and offering consultation on how best to become compliant.”

ITWeb, in partnership with Iron Mountain, is conducting a survey on the current state of SA businesses’ POPIA compliance readiness. To participate in the survey and to be entered into a lucky draw prize to win a R4 000 Takealot voucher, click here.

On completion, respondents can opt in to receive a record retention guide, which may assist with compliance.

See also