The legal interpretation of the Protection of Personal Information Act (PoPIA) legislation impact is often dealt with at a high-level with management, which then fails to provide support in unpacking, analysing and interpreting the specific impact and remedies.
This is according to Anne-Marié Pretorius from the consulting firm Bizmod, who adds, “PoPI is by no means new, yet we still find that many organisations of various sizes are battling with compliance.
“In South Africa, cybercrime has become a national crisis, as data breach risks are growing and South African businesses are unprepared for the growing risk of cyber-attacks.
“Many organisations struggle to implement the intent of the Act in a practical way that does not hamper the day-to-day running of the business. At the centre of any compliance implementation is the ability to interpret legislation into practical guidelines or interventions, which will enable businesses to comply at a process, systems, people and data level.”
The 2015 Information Security Breach Survey, undertaken by PWC, showed that 90% of large organisations reported suffering a security breach in 2015. It found that 59% of employees steal proprietary corporate data when they quit or are fired and 68% of funds lost because of a cyber-attack were declared unrecoverable. The average time to detect a malicious or criminal attack by a global study sample of organisations was 170 days.
Pretorius provides these guidelines for organisations struggling with compliance and data breaches:
- Analyse the primary facing unit, operational and application areas, while structuring the various work streams including process analysis, contracting, people change management and systems.
- Conduct a gap analysis by converting the PoPI Act into key questions. Standardise this across the impacted areas and create a heat map of impact.
- The heat map of impact enables the organisation to identify impact across the dimensions of business areas and implement PoPI compliant business processes and controls within the organisation.
- Enhance operational systems, controls and technologies to support compliance, thereby bringing about compliant business solutions.
- Establish programme education throughout the organisation with training, awareness and change activities that raise sensitivity and understanding of the PoPI Act.
- Recruit a permanent employee to fulfil the role of Privacy Officer. This allows for a permanent business-as-usual capability, allowing for sustainability.
“The PoPI act creates significant impact on business as complying with it requires changes of most processes and systems which then have a direct impact on employees’ behaviour. The organisation is accountable for overseeing its PoPI compliance and therefore it needs to identify and design pragmatic steps and interventions for sustainable results,” concludes Pretorius.