Key Findings

ITWeb, in partnership with Iron Mountain, conducted a POPIA Readiness Survey to find out the current state of South African businesses’ POPIA compliance readiness.

The survey ran online during June 2021 and asked how well prepared organisations are for POPIA compliance, as well as how familiar decision-makers and staff are with POPIA requirements.

In this survey, we asked, among other things:

1. What are your concerns regarding data management aligned to POPIA?

2. Which department in your organisation has overall responsibility for complying with POPIA?

3. Is your organisation embracing the POPI regulations in order to build customer trust?

A total of 397 responses were captured, with 66% of respondents being at executive or middle management level, working across a range of industries, with 20% of respondents coming from the software and technology sectors.

Here are some of the key findings:

1. 45% of respondents said their organisations were well prepared for POPIA compliance, while 43% said they were somewhat prepared but could be more so. 5% said they weren’t at all prepared.

2. Nearly three quarters (74%) of respondents agree with the statement ‘decision makers and staff in our organisation are familiar with the POPIA regulation’. 11% disagree.

3. 77% of respondents agree with the statement ‘our privacy programme is aligned with the organisation’s culture and processes’. 4% disagree.

4. Top concerns regarding data management aligned to POPIA emerged as reputational damage (59%), complexity of compliance (58%) and fines (45%).

5. Overall responsibility for complying with POPIA rested with a member of the board or senior management, according to 29% of respondents. 18% of respondents felt that IT should be responsible, while 17% said a dedicated POPIA team should carry the responsibility.

6. 78% of respondents agreed that their organisation was embracing POPIA to build customer trust.

7. 63% of responding organisations said they would be ready to fully meet the POPIA requirements on 1 July. 17% were already compliant. 13% will not be ready in time to comply.

8. Asked to identify the measures that they have in place around POPIA compliance, 69% had measures to ensure the individual whose data is being collected gives consent for data collection. 60% had a compliance officer, 58% had records of processing activities which describe their purpose, type of data collected and the technical and organisational measures taken to ensure their security and 58% had procedures to provide individuals with a copy of all data relating to them. 58% said they had measures to ensure logging and monitoring of data processing and alteration of personal data, while 51% had procedures to delete personal data in the event of a “right to be forgotten” request or if an individual objects to the processing of their data.

9. Digitising the business is regarded as key to POPIA compliance. 42% of respondents said their organisation had an advanced digital maturity, 27% said expert and a quarter (25%) said it was intermediate. 7% of respondents reported a reliance on paper-based processes.

10. Reasons for not implementing data governance measures included lack of time/staff resource (45%), lack of awareness from key decision makers (23%) and lack of financial resources (23%)

11. Three quarters of respondents (76%) said they used access control as part of their data protection policy. 57% used encryption, 54% used auditing and logging and 49% used data loss protection. 45% used two-factor authentication and 42% used data classification and handling. Only 22% used cloud access security brokers.

12. 73% of respondents have a process in place to safely and securely destroy physical records, data and devices at the end of their lifecycle in order to reduce e-waste and comply with POPIA. 9% of respondents said their organisation didn’t have such a policy/process.