More than just compliance

1 July 2020 Security Services & Risk Management

The Protection of Personal Information Act (POPIA) has been doing the rounds for many years and now it has eventually been signed by the president. This means that from 1 July 2021, failing to look after personal information entrusted to you can land you in serious trouble.

Hi-Tech Security Solutions therefore asked John Cato, director of IACT-Africa and previous presenter at the Residential Estate Security Conference (on the topic of POPIA), to provide us some insight into POPIA. While this article was initially written for the Residential Estate Security Handbook 2020, the applicability of the points made by Cato make it relevant to a larger segment of the security industry, which is why we are publishing it here.

What to do?

One of the first things Cato notes is that we should recognise that POPIA is not simply a matter of ticking a few boxes and being compliant. Organisations should view it as the start of a journey for protecting the personal information of people and organisations for which boards and management teams are responsible. “It involves privacy and data protection, which is a global issue and an expectation today.”

He says it is important for management to understand the eight conditions (principles) of the act or they will struggle to relate to the subject. These are:

1. Accountability.

2. Processing limitation.

3. Purpose specification.

4. Further processing limitation.

5. Information quality.

6. Openness.

7. Security safeguards.

8. Data subject participation.

The conditions explained in full can be found in the document at (also available via the short URL*popia), from page 29 onwards.

Cato explains that two key aspects of POPIA are ‘Consent’ and ‘Purpose’. That means only collecting and processing personal information (PI) for a clear purpose and with the person’s consent. While the act is long (the above document is over 150 pages long), Cato summarises and offers the following advice to begin preparations:

• The starting point is to formally appoint an information officer (IO) and deputy information officer (DIO) where required.

• The next point to consider is the responsibilities of the IO and DIO. These are summarised in the regulations of December 2018. The first responsibility is the development, implementation, monitoring and maintenance of a compliance framework. This is not defined, but our recommended approach which is based on international practices includes:

º Establishing privacy policies and notices – this should include visible signage.

º Establishing information security related policies and technical measures, e.g. strong password practices, access controls to systems, encryption, data leak prevention (DLP), etc. Policies should include CCTV polices and biometric polices.

º Developing an inventory of PI, i.e. ,what PI is where (systems, files, etc.).

º Identifying activities and processes that include the collection processing, sharing and destruction of PI.

º Conducting a personal information risk assessment and establishing risk treatments plans (important because of fines).

º Reviewing agreements with service providers where their services involves PI (e.g. security companies, IT service providers, accountants, auditors, etc.).

These must include a commitment by the service provider to protect PI in line with POPIA as well as the rights of the company for assessing their information security practices. We offer a Responsible Party (RP) to Operator (OP) contract template which has the appropriate clauses and references to sections in POPIA. It is important to check if any of these are hosted services outside of SA as transborder requirements exist (if, for example, you use Dropbox or other such cloud services).

º Obtaining consent for collecting PI from residents (current and new), visitors, contractors, etc. Special care should be taken regarding the PI of children, as this requires the parent’s or legal guardian’s consent.

º Defining retention periods in a policy and ensuring that PI is not kept for longer than it is needed.

º Conduct a privacy impact assessment for any new initiatives.

º Implementing a PAIA manual with a process for requesting access to information.

º Train staff and board members and promote awareness to residents about POPIA and privacy.

º Implement an ongoing compliance monitoring and management plan – things will change, such as service providers, board members, HOA staff, etc.

Adds Cato: “We encourage organisations to start a project with the above as key project tasks together with target dates and persons responsible for completing the tasks. If the initiative is not done as a project, there will be many gaps in the compliance framework.”

John Cato.

The above ‘simplified’ advice from Cato should make it perfectly clear that POPIA is definitely more than a box-ticking exercise. Cato has already been involved in a case where an individual laid a complaint with the Information Regulator about a residential estate’s use of PI. He can’t provide much information except to say that the estate received a stern letter and had to respond within a short timeframe, detailing what and how they handled the PI of the person concerned.

Fortunately, the estate in question was on track with POPIA preparations and was able to reply to all the questions and the issue was thus settled. If they did not have the processes in place, the time allowed for a response would not have been sufficient to gather the required information in a panic and the eventual penalties the regulator could impose are severe.

Who would be held accountable?

People with experience in the corporate world will be very aware of how skilled some people are at finding someone else to blame. This will be a bit more difficult with respect to POPIA. As Cato states, the IO is accountable when something goes wrong, but the company will not be able to wash its hands in innocence. Even if the company outsources, it still needs to make sure the PI the service provider holds is secure. “Outsourcing doesn’t mean you outsource accountability,” warns Cato, “you only outsource the responsibilities for carrying out the service activities. Fines will not be imposed on the SP, but on the organisation.”

He explains that the company (RP) has an obligation to establish a written contract with service providers (OP) in which a commitment by the service provider to protecting PI processed for the company is detailed. The organisation also needs to ensure that its service providers maintain security-related compliance. In other words, they should check what security safeguards are in place based on generally accepted processes and standards such as ISO 27001 or NIST.

“A related development is that there is now an ISO standard for a PIMS: ISO 27701. This complements ISO 27001 – the ISMS standard,” he advises.

Assessing compliance and advice

This article is a small snippet of advice with respect to POPIA, there is obviously a lot more to understand about the act. IACT-Africa has a website dedicated to POPIA at, where it offers a free POPIA compliance heath check.

IACT-Africa also conducts detailed assessments which will highlight shortfalls and provide recommendations for remediation. “We also provide multiple assessment tools, templates for policies, notices and contracts, as well as training material and general recommendation items from third parties.”


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Digital evidence handling in the cloud
Issue 5 2020 , Security Services & Risk Management
Investigate Xpress is a free, cloud-based digital evidence management solution designed to make police forces more efficient and productive.

The evolution of security in residential estates
Residential Estate Security Handbook 2020 , Editor's Choice, Integrated Solutions, Security Services & Risk Management
Two large estates discuss their security processes and the ever-expanding scope of responsibilities they need to fulfil.

Bang for your security buck(s)
Residential Estate Security Handbook 2020, Alwinco , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions asks how estates can maintain a good security posture in the time of the ever-shrinking budget.

More efficient guarding through the effective use of technology
Residential Estate Security Handbook 2020, Technews Publishing, OnGuard, Stallion Security, Active Track , Security Services & Risk Management
Technology in its many forms can be used to optimise the efficiency and performance of on-site guarding.

Range of grid-independent power systems
Residential Estate Security Handbook 2020, Specialised Battery Systems , Products, Security Services & Risk Management
SBS Solar has a range of solutions to provide power, save on costs and above all provide peace of mind.

Taking the guesswork out of tracking guards
Residential Estate Security Handbook 2020, Secutel Technologies , Security Services & Risk Management
The SecuTraq MP5 is an all-in-one body-worn camera to assist in keeping track of guards on site in real time.

The benefit of thermal screening
Issue 5 2020, Technews Publishing, Sensor Security Systems , Security Services & Risk Management
How preventive screening with thermal cameras can help in the fight against COVID-19.

Resilience is critical for post-COVID business success
Issue 5 2020, ContinuitySA , Security Services & Risk Management
Of the many lessons we have to learn from the current emergency, perhaps the most crucial one is to ensure that business strategy and operations are founded on resilience.

Post-Coronavirus communications: kick start your small business
Issue 4 2020 , Security Services & Risk Management
In these uncertain times, how should small companies and startups in the business-to-business domain recommence their selling and communication processes?

The dashboard of the future
Issue 4 2020 , Security Services & Risk Management
Web-based Electronic Signature Dashboard offers quick access to eSignatures within the necessary legal parameters and incorporating advanced security.