ITWeb, in partnership with Iron Mountain, conducted a POPIA Readiness Survey to find out how well prepared organisations are for POPIA compliance.Â
A total of 397 responses were captured, with 66% of respondents being at executive or middle management level, working across a range of industries, with 20% of respondents coming from the software and technology sectors.
The good news is that nearly half (45%) of respondents said their organisations were well prepared for POPIA compliance, while 43% said they were somewhat prepared but could be more so. Five percent said they weren’t at all prepared.Â
Kevin Akaloo, South Africa’s national head of sales - private and public sector at Iron Mountain says, “Interestingly, 74% of respondents’ decision makers and staff are familiar with the POPIA regulation. I’m glad to see this as compliance is ultimately the responsibility of all departments.”
However, some 29% of survey respondents felt that overall responsibility for complying with POPIA should rest with a member of the board or senior management, while 18% of respondents felt that IT should be responsible, and 17% said a dedicated POPIA team should carry the responsibility.
Top concerns regarding data management aligned to POPIA emerged as reputational damage (59%), complexity of compliance (58%) and fines (45%). “Although 59% of respondents were concerned about reputational damage, only 42% of businesses are digitally mature. Companies must embrace digitisation and secure data destruction methods to assist with compliance,” says Akaloo.
Companies must embrace digitisation and secure data destruction methods to assist with compliance.
While 63% of responding organisations said they would be ready to fully meet the POPIA requirements on 1 July, 17% were already compliant and 13% said they wouldn’t be ready in time.
Asked to identify the measures that they have in place around POPIA compliance, 69% had measures to ensure the individual whose data is being collected gives consent for data collection. Some 60% had a compliance officer, 58% had records of processing activities which describe their purpose, type of data collected and the technical and organisational measures taken to ensure their security and 58% had procedures to provide individuals with a copy of all data relating to them. Fifty-eight percent said they had measures to ensure logging and monitoring of data processing and alteration of personal data, while 51% had procedures to delete personal data in the event of a “right to be forgotten” request or if an individual objects to the processing of their data.
Digitising the business is regarded as key to POPIA compliance. 42% of respondents said their organisation had an advanced digital maturity, 27% said expert and a quarter (25%) said it was intermediate. 7% of respondents reported a reliance on paper-based processes.Â
“Digitisation and its associated processes must be embraced by all businesses as it offers solutions that provide reliability and productivity for organisations. It simplifies the methods and governance related to POPIA by keeping track of retention periods, making sure the risks are minimised and to ensure that it does not fall into the wrong hands,” adds Akaloo.
Three quarters of respondents (76%) said they used access control as part of their data protection policy. 57% used encryption, 54% used auditing and logging and 49% used data loss protection. Some 45% used two-factor authentication and 42% used data classification and handling. Only 22% used cloud access security brokers.
Seventy-three percent of respondents have a process in place to safely and securely destroy physical records, data and devices at the end of their lifecycle in order to reduce e-waste and comply with POPIA. Only 9% of respondents said their organisation didn’t have such a policy/process.Â
Akaloo comments, “South African businesses are paper-overloaded and there are risks associated with that such as external people or disgruntled employees finding the information and misusing it. We recommend that businesses deploy shredding solutions that securely destroy IT assets and documents onsite or offsite to the point where information cannot be recovered. They should also consider building their own virtual warehouses for record management purposes.”
Share