printer friendly version

34% of SA organisations ready to comply with PoPIA

Sophos has issued the findings of a new study today that was commissioned to determine the state of PoPIA compliance within South African organisations.

The PoPI Act (Protection of Personal Information) promotes the protection of personal information by public and private bodies, was signed into law in 2013. It is expected to come into effect during 2019 after which organisations will have two years to comply.

The Sophos-commissioned survey revealed that only 34% of survey respondents felt their organisation was going to be ready to meet PoPIA requirements. This means that more than half of the organisations have yet to put the right processes and technology in place to protect personal data, which could see them having to pay heavy fines to the supervisory authority if the Information Regulator reveals non-compliance with PoPIA legislation.

The study further revealed that an overwhelming majority of respondents (77%) believe that their organisation will suffer reputational damage if fines for non-compliance were imposed. The reputational damage can be more damaging than the financial penalties, as it involves loss of good will and customer trust.

Pieter Nel, regional manager, Sophos South Africa, commented, “The best way to prepare for PoPIA is to implement a solid data protection strategy that guards against loss of data whether through malicious or accidental methods. Creating a data protection strategy can be a daunting process, especially if it hasn’t previously been a focus area for organisations. Securing against major threats that cause data breaches is a great place to begin.”

Other key findings of the survey include:

• Only 10% of respondents indicated that their organisation has a dedicated PoPIA team.

• Two thirds of respondents felt they had a good understanding of the legislation, but almost 30% admitted to only a basic understanding of the Act.

• Over half of the respondents (62%) have placed a high priority on PoPIA within their organisation.

Nel continues, “Even if organisations don’t have dedicated PoPIA teams, we would recommend that there should be some ownership and responsibility to make the organisation PoPIA compliant. However, without a clear understanding, there will always be some lapse in PoPIA implementation. Even if an organisation outsources it to a third party, it is crucial that the organisation have a deep internal understanding of the PoPI Act and its influence on the organisation.”

He concludes, “High priority in terms of PoPIA compliance should translate to readiness of the organisations; without a concrete action plan, organisations will lag behind. Unfortunately in terms of data breaches, nobody knows when or where it is going to strike next, which is why being prepared is so important.”

The survey can be viewed here: https://www.sophos.com/en-us/medialibrary/pdfs/marketing-material/protection-of-personal-information-survey-report-2018.pdf

Share this article:

Further reading: