Six things to improve PoPIA readiness

Issue 3 2021 Editor's Choice

In October 2020, the KnowBe4 and ITWeb online data protection survey found that when it comes to the preparedness of their organisation for PoPIA compliance, just under one-third (30%) indicated they were well prepared, while 39% said they were ‘somewhat’ ready, but more work needs to be done.

Anna Collard, SVP Content Strategy and evangelist for KnowBe4 Africa, shares six things that can be done to improve your PoPIA readiness:

1. “Education and awareness should be a top priority for organisations as we approach the PoPIA deadline,” she says. “This is critical at every level of the business, from top management down to every person who works at the organisation. Everyone has to be aware of their responsibilities with regards to handling personal information and their roles when it comes to the safeguarding of personal information.”

Anna Collard.

People unfortunately are also the ones who react to phishing with emotion and make mistakes that can cost the business money and reputation and that can put critical data systems at risk. “People play a massive role in ensuring that the organisation remains PoPIA-compliant and the organisation remains secure and safeguarded,” says Collard. “They need consistent training and education so that their understanding of the threats can translate to ongoing protection of information within the organisation. And to their own security hygiene practices as well.”

2. Secondly, organisations can really benefit from implementing the role of a dedicated information officer – a role that should be created specifically for the task of ensuring compliance and understanding. The duties of the information officer include, amongst others, to attend to the development and implementation of a compliance framework, ensure that internal PoPIA awareness sessions are conducted and conduct assessments to identify any risks and necessary safeguards to the personal information processed.

3. Thirdly, conduct a data mapping exercise that identifies what type of personal information the organisation collects, whom this information is shared with and where it is stored. This is immensely valuable as it not only highlights areas of vulnerability that may not have previously been identified, but it also identifies potential risks that can be alleviated prior to PoPIA coming into effect. “This exercise can also be used to raise awareness and form part of an overall education drive, as it typically involves interviews with all major department heads,” notes Collard. “Once this is done, it should be followed with a privacy impact assessment (PIA), that identifies the risks and what could possibly go wrong in an environment. It is a practical step that plays a pivotal role in embedding a more robust security foundation into the organisation.”

Part of the PIA would require a review of the security controls. This will help refine the controls that are in place and identify what has to be improved on. For organisations that do not have these skills or systems in place, they can collaborate with a third party that can help conduct these types of risk assessments and reviews.

4. “Speaking of third parties, make sure you unpack who you share the personal information with, how compliant they are and what controls they have in place,” adds Collard. “They are as much a target as the business, so if they have any vulnerabilities, they can put your organisation at risk. Just make sure that the boxes are ticked with every service provider, platform and system so you are secured and compliant.”

5. Consider hiring a consultant who can go through contracts and online privacy notices and every other space where information is collected, to ensure that the right notices have been put in place. These notices must be written in plain English and specify why the information is collected and how it is used so that consumers are informed and aware.

6. “The last thing that you should consider is to define the processes that make up your compliance programme and data breach processes,” concludes Collard.

“If there is a breach, who will notify the regulator, who will notify the customers and the media and what will employees be allowed to say – these are just some of the considerations that should be unpacked in advance to ensure the organisation is absolutely ready for whatever may be ahead.”

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Issue 1 2021 , Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Decentralised operations is where it’s at
CCTV Handbook 2021, G4S Secure Solutions SA, Technews Publishing , Editor's Choice
Control rooms are evolving into operations centres that serve a variety of applications, such as risk management, surveillance, process management, network monitoring, personnel management and asset management.

Advanced enterprise storage architecture
CCTV Handbook 2021 , Editor's Choice
Storage start-up 22dot6 launched an advanced enterprise storage architecture design for the commercial market, the industry’s first software-defined TASS (Transcendent Abstracted Storage System) architecture.

Recover your margins with services
CCTV Handbook 2021, Technews Publishing , Editor's Choice
The security industry has reached yet another inflection point with the rise of the cloud, specifically with its utility in security services which have become an operational expenditure reality.

The reality of the cloud
CCTV Handbook 2021, Technews Publishing , Editor's Choice
One unmistakable take-away from this year’s CCTV Handbook is that no matter whether it’s a hybrid or an ‘all-in’ model, the cloud is the new frontier for surveillance operations.

Keeping Century City safe since 2016
CCTV Handbook 2021 , Editor's Choice
ATG Digital and Century City are celebrating five years of access and security control innovation. The relationship started with visitor registration digitisation and evolved into a collaborative partnership that birthed several custom-built solutions.

SABS updates national standard on fire detection and alarm systems
Issue 3 2021 , Editor's Choice
SABS has recently published a revised version of its SANS 10139 code of practice, which brings South Africa in line with fire safety standards similar to those in the United Kingdom and Europe.

Finalists for the inaugural South Africa OSPAs have been announced
Issue 3 2021 , Editor's Choice
The independent panel of judges nominated by supporting associations have selected the 2021 finalists for the Outstanding Security Performance Awards (OSPAs).