It’s finally here!

Residential Security Handbook 2021: SMART Estate Living Editor's Choice

After many years of speculation and eye rolling, the Protection of Personal Information Act (POPIA) has finally arrived and will be enforced from July 2021.

After many years of speculation and eye rolling, the Protection of Personal Information Act (POPIA) has finally arrived and will be enforced from July 2021.

Although the Residential Estate Security Handbook has covered POPIA in the past, for this handbook we approached some experts in the local privacy legislation to find out whether we are ready for the new standards estates (and everyone) will be held to, and to perhaps glean any last-minute advice for those not ready for the new law.

Before getting into the details of POPIA’s requirements, the million-dollar question is: are estates ready and able to handle the requirements of the law? Perhaps more importantly, are security staff up to speed with what will be required of them?

Andy Lawler, MD of Sentinel Risk Management is of the opinion that South Africa in general is not mature enough in terms of the protection of private information. “It is, unfortunately, the opinion of this writer that the education level of the average security guard does not allow for risk-based thought processes in terms of what could happen should certain information find itself in the wrong hands. This low education level combined with a low salary level leaves many security personnel members with a ‘don’t care’ attitude.

“As a security assessor and consultant, I have been exposed to many unkempt guard rooms, incomplete and scribbled occurrence books and poorly written standard operating procedures. These are unfortunately the norm rather than the exception. With this in mind, I have extraordinarily little confidence that security personnel in South Africa will mature to the expected level, in terms of the POPIA, anytime soon.”

He therefore suggests that residential estates in general are going to struggle to become compliant, not because they have not put procedures in place, but because the lack of understanding and foresight of security guards leaves those procedures lacking in terms of execution.

Added to this, unfortunately, is the expense needed to become compliant and the resistance of boards of trustees to expend funds not budgeted for. “Thus, most estates will remain with the entrance book, which, unless handled correctly, is the biggest threat to the information security of residents and visitors within estates.”

Andy Lawler.

Anna Collard.

Another threat he sees in terms of the estate, is that security guards refuse entry to people who refuse to fill in sensitive information such as identity numbers, as they have no knowledge of the Act about the protection of private information. Thus, drivers wishing to enter an estate will fill in this information under protest. Furthermore, the guards do not have the facility to ensure that the information being filled in is correct unless they check the number against the driver’s identity document. Too many guards, unfortunately, place too much trust on the word of the driver.

Any person entering the private information onto any document or database has the right to know that their information is being protected. Thus, residents and visitors to estates should have the right to ask where their privacy information is being stored, how it is being protected from unauthorised scrutiny, how long the information is being stored for and, finally, who has access to this information.

“Security guards will need to be trained properly to handle such requests,” Lawler states.

The responsible party

Anna Collard, SVP Content Strategy and evangelist at KnowBe4 Africa adds to this, noting: “To be considered compliant with POPIA, estates or any responsible party for that matter, will have to establish policies and procedures to ensure they adequately process and protect the personal information they collect.

“Furthermore, they need to identify, assess and act upon the risks related to the processing of personal information and adequately protect it. This may require a bit of outside expertise, especially when using information technology. So, in my opinion, I doubt that many smaller organisations, including estates would be fully compliant come July.”

Rieka van Wyk, global privacy manager at PayU says: “It is key that estates are able to indicate, at a minimum, how they process personal information, what type of personal information is collected and be transparent on their legal basis for collection. Be sure to be ready to reply to data subject requests if individuals ask.”

She adds that full compliance is also a misnomer; estates, as responsible parties, will have to meet the conditions under POPIA as well ensure that the operators (processors) which process personal information on their behalf meet the requisite requirements as well. “Given the breadth of POPIA, I would be dubious of any estates, even larger organisations, claiming to be POPIA certified or fully compliant.”

Top POPIA checklist items

As Van Wyk noted above, POPIA is very complex and compliance is not simple. Nonetheless, we asked if our respondents would be able to break down the requirements of the law into a simple (and short) checklist estates could refer to.

Collard recommends the following:

1. Make someone responsible for the protection of personal information, namely by appointing an information officer or designated information officer (if no one is appointed, the CEO is de facto information officer by law). A bus needs a driver and the same applies to data protection programmes.

2. Identify what type of personal information is currently collected and why (the purpose for it). Challenge yourself about the purpose. For example, is it really necessary to ask for visitors’ IDs? What is the purpose of this, and can’t that purpose be fulfilled with less personal information? Is there a way to ‘de-identify’ the personal information and still meet the same security estate requirements?

3. Understand where the personal information is stored, whom it is shared with and how it is currently protected from unauthorised access, theft or destruction. It helps to start this process by visualising the data flow in a simple data flow diagram and identifying the controls that are currently in place (or missing).

Van Wyk recommends paying careful attention to the use and storage of CCTV recordings and how and where such data is going. “Understand that it is your responsibility to understand where personal data is being processed.”

4. Identify and assess risks. Here, it might be good to talk to someone with an IT or security background to understand what could happen to the personal information you are responsible for. Think about things like a laptop or smartphone might be lost or stolen, your cloud username and password may be compromised or someone may fall for a phishing attack resulting in malicious software such as ransomware destroying all the data unless a ransom is paid.

5. Educate yourself as well as your staff about the key conditions of POPIA, security best practices and the value of personal information, and how to handle personal information with care.

Lawler suggests that the residents within an estate should ideally have a clear idea as to where private information is kept by the management of the estate, who has limited or unlimited access to this information, how is the access to this information managed, and finally, who is responsible for the protection of this information. Furthermore, he adds:

1. Are the processes used to collect and store this information audited.

2. Once used, how long is this information stored for and how is it destroyed when it is no longer required.

3. Are guards and other collectors of privacy information for whatever purpose, trained to protect that information according to the POPIA stipulations?

4. Are policies and procedures in place to ensure the protection of this information?

What about smaller estates and complexes?

Smaller estates may not have dedicated security managers or the budget to opt for large POPIA training programmes. They, however, are still subject to the law and must also prepare. Quite simply, Lawler says smaller complexes, despite their limited budget, need to comply with the minimum standards stipulated within the Act or they stand the risk of legal action. “Thus, as far as possible, they need to look at moving away from the so-called ‘truth book’ and move towards an automated computer-scanner based system.”

As an estate manager, the first step Collard would take is to learn more about the basic privacy principles laid out in POPIA and how they may apply to the estate. “Remember that less is more, so the less personal information you collect, the less you need to protect,” she advises. “Review the business needs for collecting and storing personal information and try to limit it wherever possible. If possible, get some outside help to assist in the assessment of your current situation and the controls you may have to put in place. There are many reputable organisations in South Africa which offer some free advice, educational webinars as well as training and actual hand holding.”

Services offered

Sentinel Risk Management is a security assessment firm that assesses the efficacy of guardrooms, guards and processes, explains Lawler. “Our audits include the condition of the information gathered in terms of the estate’s policy and procedures, and we offer bespoke advice, within the budget of the estate, on how to improve their Threats, Risks and Vulnerabilities, both in physical security as well as information security.” Contact Sentinel Risk Management at [email protected] or

Collard says KnowBe4 “provides security and compliance awareness training to assist organisations in driving internal awareness and equipping their employees to make better security decisions, every day.”

More information is available at


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Autonomous construction site protection
Editor's Choice Perimeter Security, Alarms & Intruder Detection
Ajax provides an autonomous security solution for a German construction site that is easy and flexible to install. It provides security against intrusions and theft via a 360-degree view.

SMART and secure estates in Cape Town
Technews Publishing Axis Communications SA Gallagher DeepAlert Nemtek Electric Fencing Products Editor's Choice
In February 2024, SMART Security Solutions emigrated to the Western Cape to host its first SMART Estate Security Conference in the region in many years. For the day, we took over the prestigious D’Aria Wine Estate.

Integrated, mobile access control
SA Technologies Entry Pro Technews Publishing Access Control & Identity Management
SMART Security Solutions spoke to SA Technologies to learn more about what is happening in the estate access world and what the company offers the residential estate market.

New ransomware using BitLocker to encrypt data
Technews Publishing Information Security Residential Estate (Industry)
Kaspersky has identified ransomware attacks using Microsoft’s BitLocker to attempt encryption of corporate files. It can detect specific Windows versions and enable BitLocker according to those versions.

SMART Estate Security returns to KZN
Nemtek Electric Fencing Products Technews Publishing Axis Communications SA OneSpace Editor's Choice News & Events Integrated Solutions IoT & Automation
The second SMART Estate Security Conference of 2024 was held in May in KwaZulu-Natal at the Mount Edgecombe Estate Conference Centre, which is located on the Estate’s pristine golf course.

Creating employment through entrepreneurship
Technews Publishing Marathon Consulting Editor's Choice Integrated Solutions Residential Estate (Industry)
Eduardo Takacs’s journey is a testament to bona fide entrepreneurial resilience, making him stand out in a country desperate for resilient businesses in the small and medium enterprise space that can create employment opportunities.

From the editor's desk: Just gooi a cable
Technews Publishing News & Events
      Welcome to the 2024 edition of the SMART Estate Security Handbook. We focus on a host of topics, and this year’s issue also has a larger-than-normal Product Showcase section. Perhaps the vendors are ...

Kaspersky finds 24 vulnerabilities in biometric access systems
Technews Publishing Information Security
Customers urged to update firmware. Kaspersky has identified numerous flaws in the hybrid biometric terminal produced by international manufacturer ZKTeco, allowing a nefarious actor to bypass the verification process and gain unauthorised access.

2024 Southern Africa OSPAs winners announced
Editor's Choice
The 2024 Southern Africa Outstanding Security Performance Awards (OSPAs) winners were revealed on Tuesday, June 11th, at the Securex South Africa Seminar Theatre hosted by SMART Security Solutions.

Resident management app shows significant growth
Editor's Choice
My Estate Life is a mobile app for residents and managers in housing estates and buildings. Its core aim is to be an easy gateway for residents to manage visitors and staff, and to communicate and administer general property in a simple interface.