With only five months until the grace period for POPIA compliance comes to an end, our Chief Technology Officer Willem Malan, Cloud Security Architect Neil du Plessis, and Modern Workplace Architect Pieter Neethling explore the challenges before South African organisations, and the technological solutions available to address them.
South Africa’s Protection of Personal Information Act (POPIA) is designed to ensure that private, public, and governmental organisations behave lawfully and responsibly when processing personal information. Signed into law on 19 November 2013 by then-president Jacob Zuma, and gazetted on 26 November 2013, POPIA is a key piece of privacy legislation.
Certain sections of the Act became effective on 11 April 2014, and last year, President Cyril Ramaphosa announced commencement dates for the others. There is a 12-month grace period for compliance with the sections of POPIA that commenced on 1 July 2020, meaning organisations have until 30 June 2021 to put the appropriate measures in place.
“Right now, POPIA compliance should be at the top of the to-do list for every business,” says Willem Malan, our Chief Technology Officer. “And it’s absolutely critical if you haven’t yet begun, because the journey towards compliance is not simply a box-ticking exercise. POPIA requires a fundamental shift in terms of how you deal with personal information, and for many enterprises, that will involve a deep dive into their methods of gathering, processing, and safeguarding data,” he explains.
By October 2020, around 30% of South African organisations considered themselves well-prepared to meet their compliance obligations under POPIA, according to a local survey. Simultaneously, 39% said they were partly ready, while 14% had only just started planning, and 8% had not conducted any preparations at all. The disparity is striking, but perhaps not surprising, observes Malan. “For years, there’s been a general awareness about POPIA. It certainly has been one of the most talked-about governance issues in the corporate sphere. But there’s a gulf between acknowledgement and action, and I think that has been a stumbling block for business teams.”
Without prescriptive guidance from the Information Regulator, stakeholders have had to figure out their own POPIA road maps, continues Malan. “They’ve had to get to grips with the law and its specific requirements, before crafting their compliance strategies. That was a significant challenge prior to the coronavirus pandemic, given the time and resources needed. And it’s an even more daunting task now, when organisations are recovering from the impact of the COVID-19 lockdowns, and recalibrating for the new world of work. Considering the extraordinary circumstances of 2020, it’s no wonder only about a third of businesses felt on track to achieve POPIA readiness in time,” he adds.
Neil du Plessis, our Cloud Security Architect, notes that POPIA’s incremental rollout may have dampened the sense of urgency initially seen in boardrooms. “When the Act was promulgated in 2013, it was a wake-up call for everyone. Conversations quickly turned towards compliance, and organisations began to formulate their policies and procedures. But as the years went by without official time frames for POPIA implementation, there seemed to be a loss of momentum at the corporate level. In the absence of concrete deadlines, the impetus for swift, comprehensive action appeared to fade. And now, many businesses are under pressure to expedite their POPIA programmes to meet the mid-year target.”
As the countdown intensifies, organisations also have to make sure that the compliance process is driven forward successfully. POPIA’s diverse requirements necessitate a multi-disciplinary approach, says Du Plessis. “From technical controls to record-keeping measures, the Act outlines parameters for lawful data-handling. Compliance, however, is not exclusively an IT issue or a human resources issue to address, and it cannot be delegated to a single department. POPIA has business-wide implications, and the business response should reflect that,” he says.
Malan agrees. “Data protection is a critical obligation, and businesses cannot outsource their accountability. They are responsible for their own compliance. And they have to answer for how they collect and use personal information. It’s important to look at the enterprise holistically, and to plan and monitor efforts in line with POPIA. It also makes sense to leverage available technology to streamline the process,” he says.
Microsoft Compliance Manager, a relatively new feature in the Microsoft 365 compliance centre, is already being embraced by BUI customers. “It’s such an intuitive, user-friendly platform,” remarks Pieter Neethling, our Modern Workplace Architect. With pre-built assessments for common information security standards like ISO 27001:2013 and custom assessments for POPIA and similar laws, it’s simpler to benchmark and monitor compliance status, as far as it relates to the use of Microsoft cloud services on Microsoft 365 or Azure Active Directory.
“With Compliance Manager’s centralised dashboard, you can perform real-time assessments of your estate, and get the detailed insights you need to strengthen your compliance capabilities,” continues Neethling. “That level of visibility – combined with step-by-step guidance to address shortcomings, and tools to record and track progress – makes Compliance Manager a robust solution for customers,” he says.
The platform also serves as an evidence repository for supporting documentation, and enables project teams to organise and unify their compliance initiatives. “You can drill down to view and manage individual tasks, evaluate progress, generate audit-ready status reports, and understand your overall compliance posture at a glance. The functionality is right there, at your fingertips,” explains Neethling.
Du Plessis adds that Compliance Manager brings order and scalability to organisational compliance efforts. “It can be overwhelming when you’re confronted with large environments of users, devices, and applications to assess, but Compliance Manager removes the burden by categorising and prioritising required actions. The assessments can be mapped and scaled for your particular business needs to help you manage compliance proactively and efficiently,” he says.
The Protection of Personal Information Act is clear about the costs of non-compliance: fines of up to R10-million. While the financial penalties are substantial, Malan believes there’s a greater cost for businesses that fail to comply with POPIA. “Organisations that do not take data privacy and data security seriously tend to suffer the consequences, sooner or later,” he argues. “And those consequences are usually very public and very damaging – sometimes irreparably so. In many cases, the cost of compliance paled in comparison to the cost of the resultant business disruption and reputational harm.”
Making sure that your enterprise is POPIA compliant is not only good business practice, but good for business too, continues Malan. “If you haven’t yet focused on your POPIA journey, then now’s the time to put in the necessary attention and effort. Now’s the time to get your internal systems, policies, and processes organised. Because as soon as you have that framework in place, you can concentrate on implementing the technological controls. And that’s fairly straightforward to accomplish, with practical help from a trusted partner,” he concludes.
From improving cybersecurity to enabling collaboration and migrating to the cloud, we’ve helped customers make the most of technology.
Let’s talk about customised solutions to help you solve your POPIA compliance challenges more efficiently. Contact us today.
BUI is pleased to support Data Privacy Day as a Champion Organisation alongside private, public, non-profit, and government organisations from around the world. Data Privacy Day is held annually on the 28th of January, and is co-ordinated by the National Cyber Security Alliance (NCSA). It’s a worldwide effort that generates awareness about the importance of privacy, and highlights simple ways to protect personal information.
This year, the NCSA is encouraging individuals to own their privacy by learning more about how to protect the valuable data that is online. The NCSA is also encouraging businesses to respect privacy by keeping individuals’ personal information safe from unauthorised access and ensuring fair, relevant, and legitimate data collection and processing.
According to a Pew Research Center study, 79% of US adults are concerned about the way their data is used by companies. A Cisco survey found that 84% of consumers want more control over how their data is used. And Akamai investigations revealed that 39% of consumers are likely to walk away from a company that requires them to provide highly sensitive data in order to do business.
As technology evolves and the coronavirus pandemic continues to influence how consumers interact with businesses online, data collection practices are firmly in focus. The NCSA has offered up the following advice to help individuals and businesses become more #PrivacyAware.
Protect your personal information. Personal information, such as your purchase history, IP address, and location, is valuable and can be exploited. Think carefully about the type of information you’re prepared to share, and with whom.
Keep tabs on your apps. Many apps ask for access to personal information, such as your contacts list and photos, before you can use them. Be wary of applications that require access to data which is not relevant to the service offered.
Manage your privacy settings. Check the privacy and security settings on web services and apps, and set them to your comfort level for information-sharing. The devices, apps, and browsers you use will have different features to help you maintain control.
If you collect it, protect it. Make sure the personal information you gather from consumers is collected for relevant, legitimate purposes, and processed responsibly in accordance with applicable laws. Data breaches can cause financial and reputational damage to your business.
Adopt a privacy framework. Build privacy into your business by researching and adopting a privacy framework to help you manage risk and create a culture of awareness in your organisation. Educate staff to empower them to protect personal information.
Build trust through transparency. Be open and honest about how you collect, process, and manage consumers’ personal information. Be clear about the steps your organisation takes to achieve and maintain privacy in line with legislation.
Follow BUI on LinkedIn, Facebook, and Twitter for more data privacy tips, or contact our specialists directly to explore data-management solutions for your business.
Did you know that the BUI Cyber Security Operations Center is the first of its kind in Africa?
We can help you balance business productivity with robust prevention, detection, and response.