In October 2020, the KnowBe4 and ITWeb online data protection survey found that when it comes to the preparedness of their organisation for POPIA compliance, just under one-third (30%) indicated they were well prepared, while 39% said they were “somewhat” ready, but more work needs to be done.

Anna Collard, SVP Content Strategy and Evangelist KnowBe4 Africa shares six things that can be done to improve your POPIA readiness: 

1. “Education and awareness should be a top priority for organisations as we approach the POPIA deadline,” she adds. “This is critical at every level of the business, from top management down to every person who works at the organisation. Everyone has to be aware of their responsibilities with regards to handling personal information and their roles when it comes to the safeguarding of personal information.” People unfortunately are also the ones who react to phishing with emotion and make mistakes that can cost the business money and reputation, and that can put critical data systems at risk.  “People play a massive role in ensuring that the organisation remains POPIA compliant, and the organisation remains secure and safeguarded,” says Collard. “They need consistent training and education so that their understanding of the threats can translate to ongoing protection of information within the organisation. And to their own security hygiene practices as well.”

2. Secondly, organisations can really benefit from implementing the role of a dedicated information officer – a role that should be created specifically for the task of ensuring compliance and understanding. The duties of the information officer include, amongst others, to attend to the development and implementation of a compliance framework, ensure that internal POPIA awareness sessions are conducted, and conduct assessments to identify any risks and necessary safeguards to the personal information processed. 

3. Thirdly, conduct a data mapping exercise that identifies what type of personal information the organisation collects, who this information is shared with and where it is stored. This is immensely valuable, as it not only highlights areas of vulnerability that may not have previously been identified, but it also identifies potential risks that can be alleviated prior to POPIA coming into effect. “This exercise can also be used to raise awareness and form part of an overall education drive, as it typically involves interviews with all major department heads,” says Collard. “Once this is done, it should be followed with a privacy impact assessment (PIA), that identifies the risks and what could possibly go wrong in an environment. It is a practical step that plays a pivotal role in embedding a more robust security foundation into the organisation.” Part of the PIA would require a review of the security controls. This will help refine the controls that are in place and identify what has to be improved on. For organisations that do not have these skills or systems in place, they can collaborate with a third party that can help conduct these types of risk assessments and reviews. 

4. “Speaking of third parties, make sure you unpack who you share the personal information with, how compliant they are and what controls they have in place,” adds Collard. “They are as much a target as the business, so if they have any vulnerabilities, they can put your organisation at risk. Just make sure that the boxes are ticked with every service provider, platform and system so you are secured and compliant.”

5. Consider hiring a consultant who can go through contracts and online privacy notices, and every other space where information is collected, to ensure that the right notices have been put in place. These notices must be written in plain English and specify why the information is collected and how it is used so that consumers are informed and aware. 

6. “The last thing that you should consider is to define the processes that make up your compliance programme and data breach processes,” concludes Collard. “If there is a breach, who will notify the regulator, who will notify the customers and the media and what will employees be allowed to say – these are just some of the considerations that should be unpacked in advance to ensure the organisation is absolutely ready for whatever may be ahead.”