Sophos, a network and endpoint security company, has revealed the findings of a new study that was commissioned to determine the state of POPI compliance within South African organisations.
The POPI Act (Protection of Personal Information) promotes the protection of personal information by public and private bodies and had been signed into law in 2013. It is expected to come into effect during 2019 after which organisations will have 2 years to comply.
The Sophos commissioned survey, revealed that only 34 percent of survey respondents felt their organisation was going to be ready to meet the POPI requirements. This means that more than half of the organisations have yet to put the right processes and technology in place to protect personal data, which could see them having to pay heavy fines to the supervisory authority if the Information Regulator reveals non-compliance with POPI legislation.
The study further revealed that an overwhelming majority of respondents 77 percent believe that their organisation will suffer reputational damage if fines for non-compliance were imposed. The reputational damage can be more damaging than the financial penalties, as it involves loss of goodwill and customer trust.
Pieter Nel, regional manager, Sophos South Africa, commented, “The best way to prepare for POPI is to implement a solid data protection strategy that guards against loss of data whether through malicious or accidental methods. Creating a data protection strategy can be a daunting process, especially if it hasn’t previously been a focus area for organisations. Securing against major threats that cause data breaches is a great place to begin.”
Other key findings of the survey include:
- Only 10% of respondents indicated that their organisation has a dedicated POPI team
- Two-thirds of respondents felt they had a good understanding of the legislation, but almost thirty percent admitted to only a basic understanding of the act
- Over half of the respondents (62%) have placed a high priority on POPI within their organisation
Nel continues, “Even if organisations don’t have dedicated POPI teams, we would recommend that there should be some ownership and responsibility to make the organisation POPI compliant. However, without a clear understanding, there will always be some lapse in POPI implementation. Even if an organization outsources it to a third party, it is crucial that the organisation have a deep internal understanding of the POPI Act and its influence on the organisation.”
He concludes, “High priority in terms of POPI compliance should translate to readiness of the organisations; without a concrete action plan, organisations will lag behind. Unfortunately, in terms of data breaches, nobody knows when or where it is going to strike next, which is why being prepared is so important.”