Key Findings

ITWeb, in partnership with KnowBe4, conducted an online data protection survey during September and October 2020.

The objective was to find out where South African organisations are in terms of managing their data and ensuring that they’re compliant with local and international regulations.

It also seeks to uncover the extent to which businesses have managed to identify and classify their data according to risk, and how COVID-19 has impacted privacy compliance programmes.

A total of 176 responses were captured, with nearly 70% of respondents being at executive or middle management level, and working in a range of major industry sectors.

Here are some of the key findings:

  1. 27% of respondents completely agree that “Decision makers and staff in our organisation are familiar with the POPIA regulation." A further 38% “agree”. However, 13% indicated this was not true for their organisation.
  2. Nearly 40% believe they have in place “sound routines for reporting data breaches”.  On the other hand, 18% indicated they don’t.
  3. The majority (68%) agree that their company has relevant privacy skills and training in place.
  4. When it comes to preparedness of their organisation for POPIA compliance, just under a third (30%) indicated they are well prepared, while 39% said they were “somewhat” ready. 14% of the respondents have only just started, while 8% admitted they are not prepared at all.
  5. The top three privacy programme elements that the respondents have conducted are to educate staff (67%), to tighten technical controls (66%) and to identify their personal information assets (61%).
  6. A third of the respondents have fully completed the process of identifying and classifying data according to risk, while another third have only done a basic classification.
  7. Accidental data loss by staff, or external hacking attempts resulting in data breaches were rated as the biggest risks related to personal information.
  8. Less than a third (30%) believe their organisation is prepared for a data breach, indicating they have a mature incident response process in place. The majority (49%) report they are “somewhat” prepared but need to do more work on this.
  9. 30% report they have had no breach incidents in the recent past. For those who did, the most common attack vector is social engineering (eg phishing or vishing).
  10. Just under half of respondents (48%) said COVID-19 and working from home had no impact on their privacy compliance programme. But 30% said remote users posed more risks to their company’s personal information, while a further 16% had to reassign budgets from privacy compliance to more pressing needs (ie, VPN technology).