Six things to improve PoPIA readiness

Issue 3 2021 Editor's Choice

In October 2020, the KnowBe4 and ITWeb online data protection survey found that when it comes to the preparedness of their organisation for PoPIA compliance, just under one-third (30%) indicated they were well prepared, while 39% said they were ‘somewhat’ ready, but more work needs to be done.

Anna Collard, SVP Content Strategy and evangelist for KnowBe4 Africa, shares six things that can be done to improve your PoPIA readiness:

1. “Education and awareness should be a top priority for organisations as we approach the PoPIA deadline,” she says. “This is critical at every level of the business, from top management down to every person who works at the organisation. Everyone has to be aware of their responsibilities with regards to handling personal information and their roles when it comes to the safeguarding of personal information.”

Anna Collard.

People unfortunately are also the ones who react to phishing with emotion and make mistakes that can cost the business money and reputation and that can put critical data systems at risk. “People play a massive role in ensuring that the organisation remains PoPIA-compliant and the organisation remains secure and safeguarded,” says Collard. “They need consistent training and education so that their understanding of the threats can translate to ongoing protection of information within the organisation. And to their own security hygiene practices as well.”

2. Secondly, organisations can really benefit from implementing the role of a dedicated information officer – a role that should be created specifically for the task of ensuring compliance and understanding. The duties of the information officer include, amongst others, to attend to the development and implementation of a compliance framework, ensure that internal PoPIA awareness sessions are conducted and conduct assessments to identify any risks and necessary safeguards to the personal information processed.

3. Thirdly, conduct a data mapping exercise that identifies what type of personal information the organisation collects, whom this information is shared with and where it is stored. This is immensely valuable as it not only highlights areas of vulnerability that may not have previously been identified, but it also identifies potential risks that can be alleviated prior to PoPIA coming into effect. “This exercise can also be used to raise awareness and form part of an overall education drive, as it typically involves interviews with all major department heads,” notes Collard. “Once this is done, it should be followed with a privacy impact assessment (PIA), that identifies the risks and what could possibly go wrong in an environment. It is a practical step that plays a pivotal role in embedding a more robust security foundation into the organisation.”

Part of the PIA would require a review of the security controls. This will help refine the controls that are in place and identify what has to be improved on. For organisations that do not have these skills or systems in place, they can collaborate with a third party that can help conduct these types of risk assessments and reviews.

4. “Speaking of third parties, make sure you unpack who you share the personal information with, how compliant they are and what controls they have in place,” adds Collard. “They are as much a target as the business, so if they have any vulnerabilities, they can put your organisation at risk. Just make sure that the boxes are ticked with every service provider, platform and system so you are secured and compliant.”

5. Consider hiring a consultant who can go through contracts and online privacy notices and every other space where information is collected, to ensure that the right notices have been put in place. These notices must be written in plain English and specify why the information is collected and how it is used so that consumers are informed and aware.

6. “The last thing that you should consider is to define the processes that make up your compliance programme and data breach processes,” concludes Collard.

“If there is a breach, who will notify the regulator, who will notify the customers and the media and what will employees be allowed to say – these are just some of the considerations that should be unpacked in advance to ensure the organisation is absolutely ready for whatever may be ahead.”

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

SMART Estate Security returns to KZN
Nemtek Electric Fencing Products Technews Publishing Axis Communications SA OneSpace Editor's Choice News & Events Integrated Solutions IoT & Automation
The second SMART Estate Security Conference of 2024 was held in May in KwaZulu-Natal at the Mount Edgecombe Estate Conference Centre, which is located on the Estate’s pristine golf course.

Creating employment through entrepreneurship
Technews Publishing Marathon Consulting Editor's Choice Integrated Solutions Residential Estate (Industry)
Eduardo Takacs’s journey is a testament to bona fide entrepreneurial resilience, making him stand out in a country desperate for resilient businesses in the small and medium enterprise space that can create employment opportunities.

2024 Southern Africa OSPAs winners announced
Editor's Choice
The 2024 Southern Africa Outstanding Security Performance Awards (OSPAs) winners were revealed on Tuesday, June 11th, at the Securex South Africa Seminar Theatre hosted by SMART Security Solutions.

Resident management app shows significant growth
Editor's Choice
My Estate Life is a mobile app for residents and managers in housing estates and buildings. Its core aim is to be an easy gateway for residents to manage visitors and staff, and to communicate and administer general property in a simple interface.

Local manufacturing is still on the rise
Hissco Editor's Choice News & Events Security Services & Risk Management
HISSCO International, Africa's largest manufacturer of security X-ray products, has recently secured a multi-continental contract to supply over 55 baggage X-ray screening systems in 10 countries.

NEC XON shares lessons learned from ransomware attacks
NEC XON Editor's Choice Information Security
NEC XON has handled many ransomware attacks. We've distilled key insights and listed them in this article to better equip companies and individuals for scenarios like this, which many will say are an inevitable reality in today’s environment.

The future of digital identity in South Africa
Editor's Choice Access Control & Identity Management
When it comes to accessing essential services, such as national medical care, grants and the ability to vote in elections to shape national policy, a valid identity document is critical.

Do you need a virtual CIO?
Editor's Choice News & Events Infrastructure
If you have a CIO, rest assured that your competitors have noticed and will come knocking on their door sooner or later. A Virtual CIO service is a compelling solution for businesses navigating tough economic conditions.

AI-enabled tools reducing time to value and enhancing application security
Editor's Choice
Next-generation AI tools are adding new layers of intelligent testing, audit, security, and assurance to the application development lifecycle, reducing risk, and improving time to value while augmenting the overall security posture.

Perspectives on personal care monitoring and smart surveillance
Leaderware Editor's Choice Surveillance Smart Home Automation IoT & Automation
Dr Craig Donald believes smart surveillance offers a range of options for monitoring loved ones, but making the right choice is not always as simple as selecting the latest technology.