SURVEY: In the dark about POPI
Half of local firms surveyed are not ready for the Protection of Personal Information Act.
The survey was conducted by ITWeb in partnership with enterprise information management services company OpenText, to find out how ready organisations are to comply with POPI and the EU's General Data Protection Regulation (GDPR).
Run from 19 to 27 March, the survey captured a cross-industry sample of 108 responses from professionals working at all levels: executive managers, operational managers and IT staff.
When asked how well versed they are about POPI compliance requirements, 50% said they were not clear what steps they are required to take in preparation for the Act, while just over a third (31%) were not sure how they needed to prepare. Another 13% admitted to requiring someone to assist them to meet the POPI compliance requirements.
While the Act was signed into law on 26 November 2013, it is not yet fully operational. Once implemented, POPI is expected to change the way businesses approach the protection of customer, employee and stakeholder information, through the regulation of how the data is processed.
Around 44% of respondents said they were unsure of the required time frame given to report a data breach to the Information Regulator, while 40% said 72 hours, and 15% said organisations had to report a data breach within 12 hours.
Where there are reasonable grounds to believe the personal information of a data subject has been compromised or acquired by any unauthorised person, POPI stipulates organisations have to report a data breach to the Information Regulator as soon as reasonably possible, after the discovery of the compromise.
Established by the South African government in 2016, the Information Regulator was one of the conditions set to function in accordance with the POPI Act and the Promotion of Access to Information Act.
It has extensive powers to investigate and can fine firms that don't comply up to R10 million. While 64% said their company has a strategic plan to meet POPI requirements, 19% were unsure and 18% admitted to not having any plan in place.
Furthermore, a third of respondents were not sure if they were compelled to comply with the GDPR, which went into effect on 25 May, and just over half (51%) acknowledged they had to comply, while 20% were unsure.
Okyerebea Ampofo-Anti, partner in the commercial litigation department at law firm Webber Wentzel, says South African businesses are in for a rude awakening once POPI takes effect.
Ampofo-Anti believes the lack of awareness of cyber security threats in South Africa means the first sanctions from the Information Regulator will have dire consequences for those involved, as too little is being done in preparation for the full implementation of the POPI Act.
"The most important aspect of POPI from a cyber security point of view is condition number seven, which deals with security safeguards. It places a burden of responsibility on the company, to ensure the integrity and confidentiality of the personal information in its possession. At the same time requiring you to be proactive, in identifying foreseeable internal and external risks, plus establish and maintain appropriate safeguards," she explains.
The POPI Act states that all collected and stored information must be captured accurately, and there must be measures in place that safeguard it. Experts advise companies to use content management systems, aimed at organising, facilitating and securing content, to make it easier to meet POPI's stringent security requirements.
Around 40% of respondents said their company has a content management solution or initiative for the organisation, 21% were unsure and 18% did not have one.
When asked if their organisation is able to identify and locate unstructured data (information from e-mails, voice recordings and social media) in real-time, 66% answered yes and 20% said no.
Lenore Kerrigan, country sales director at OpenText, says information management programmes, whether initiated for strategic business objectives or compliance requirements, provide an opportunity for organisations to focus on driving value from large volumes of information.
Kerrigan warns that if an organisation cannot provide reliable, trusted and protected data to meet POPI requirements, there will be consequences.
About the survey
The 2018 POPI Survey, in partnership with OpenText, was run online on ITWeb for a period of two weeks to gain valuable insight into the POPI strategies of SA organisations.
1 If companies feel they are currently POPI compliant;
2 Whether organisations have a strategic plan to meet POPI requirements;
3 If companies are aware of the information life-cycle.
* A total of 108 responses were received for the POPI Survey.
* 36% of respondents are Executive Management or MDs and 32% middle management.
* 16% of survey respondents are from fairly large companies with between 501-5000 employees and 8% are from multinationals with over 10 000 employees.