When it comes to POPIA compliance readiness, only 30% of South African organisations believe they are well-prepared – according to the KnowBe4 online data protection survey.
To make sure your company is ready, Anna Collard, SVP Content Strategy and Evangelist KnowBe4 Africa, has shared six things that you can do:
1. Education and Awareness Should be a Top Priority
“Education and awareness should be a top priority for organisations as we approach the POPIA deadline,” she says. “This is critical at every level of the business, from top management down to every person who works at the organisation. Everyone has to be aware of their responsibilities with regards to handling personal information and their roles when it comes to the safeguarding of personal information.”
People unfortunately are also the ones who react to phishing with emotion and make mistakes that can cost the business money and reputation, and that can put critical data systems at risk.
“People play a massive role in ensuring that the organisation remains POPIA compliant, and the organisation remains secure and safeguarded,” adds Collard. “They need consistent training and education so that their understanding of the threats can translate to ongoing protection of information within the organisation. And to their own security hygiene practices as well.”
2. Appoint a Dedicated Information Officer
Organisations can really benefit from implementing the role of a dedicated information officer – a role that should be created specifically for the task of ensuring compliance and understanding. The duties of the information officer include, amongst others, to attend to the development and implementation of a compliance framework, ensure that internal POPIA awareness sessions are conducted, and conduct assessments to identify any risks and necessary safeguards to the personal information processed.
3. Identify the Type of Personal Information Your Organisation Collects
Conduct a data mapping exercise that identifies what type of personal information the organisation collects, who this information is shared with and where it is stored. This is immensely valuable, as it not only highlights areas of vulnerability that may not have previously been identified, but it also identifies potential risks that can be alleviated prior to POPIA coming into effect.
“This exercise can also be used to raise awareness and form part of an overall education drive, as it typically involves interviews with all major department heads,” says Collard. “Once this is done, it should be followed with a privacy impact assessment (PIA), that identifies the risks and what could possibly go wrong in an environment. It is a practical step that plays a pivotal role in embedding a more robust security foundation into the organisation.”
Part of the PIA would require a review of the security controls. This will help refine the controls that are in place and identify what has to be improved on. For organisations that do not have these skills or systems in place, they can collaborate with a third party that can help conduct these types of risk assessments and reviews.
4. Determine the Compliance of Your Third-Party Providers
“Speaking of third parties, make sure you unpack who you share the personal information with, how compliant they are and what controls they have in place,” adds Collard. “They are as much a target as the business, so if they have any vulnerabilities, they can put your organisation at risk. Just make sure that the boxes are ticked with every service provider, platform and system so you are secured and compliant.”
5. Hire a Consultant Who can Ensure the Right Notices are in Place
Consider hiring a consultant who can go through contracts and online privacy notices, and every other space where information is collected, to ensure that the right notices have been put in place. These notices must be written in plain English and specify why the information is collected and how it is used so that consumers are informed and aware.
6. Define the Compliance Process
“The last thing that you should consider is to define the processes that make up your compliance programme and data breach processes,” concludes Collard. “If there is a breach, who will notify the regulator, who will notify the customers and the media and what will employees be allowed to say – these are just some of the considerations that should be unpacked in advance to ensure the organisation is absolutely ready for whatever may be ahead.”