We've got news for you.

Register on BusinessLIVE at no cost to receive newsletters, read exclusive articles & more.
Register now
Picture: REUTERS
Picture: REUTERS

Business Law Focus host Evan Pickworth interviews Era Gunning and Ridwaan Boda, executives at ENSafrica, on why it is time for a data protection health check, especially by those corporates that have been complacent on compliance. With the Protection of Personal Information Act’s (Popia’s) first anniversary having come and gone on July 1, a question that many organisations are beginning to ask is: “Have we done enough to comply?”

Join the discussion: 

While some organisations appear to be content (and very likely complacent) about the effort they’ve invested to date to comply with Popia, proactive organisations are now reflecting on the past year, and are strongly advised to assess whether the compliance measures they’ve taken to date meet the minimum requirements for compliance; and establish what (if any) improvements can be made.

Many organisations have invested large amounts of time and money into their Popia compliance. However, numerous organisations are still unsure as to what the “must-haves” or mandatory obligations are when it comes to compliance, and where they should now be focusing their attention.

Some organisations are also not sure whether the time and effort invested in their compliance initiatives to date meet the minimum requirements for compliance.

Business Day law and tax editor Evan Pickworth. Picture: REBECCA HEARFIELD
Business Day law and tax editor Evan Pickworth. Picture: REBECCA HEARFIELD

These are the current trends and challenges we’ve seen many organisations face so far:

Theoretical to operative compliance

Many organisations are able to demonstrate a good level of “theoretical” Popia compliance set out in their policies. However, it is less clear whether what has been documented on paper has actually been implemented in practice and whether operative compliance has been achieved. For example, a business may have a well-drafted data subject access request policy, but staff may not be trained adequately to identify a data subject access request or to distinguish it from a request for a record in terms of the Promotion of Access to Information Act, 2002 (“PAIA”) and employees fall victim to phishing attacks.

Lack of knowledge, governance and training

Many organisations have not yet appointed information officers (or registered these officers with the Information Regulator). In terms of Popia read with PAIA, the CEO or their equivalent would automatically be the information officer unless they authorised another person to act in this role. Without leadership from a properly trained information officer and a suitable compliance framework in place, policies and procedures of a business are not sufficiently understood and implemented by the workforce. Data breaches most often occur due to human error when people and teams are unaware of what they should be doing to ensure compliance. Training for the information officer and staff should be ongoing (we recommend yearly and upon induction) and should be practical, easy to understand and relevant to the roles of those being trained.

Lack of key documentation

Although many organisations have good policies in place, some organisations are still missing key documentation to evidence accountability in terms of Popia. For example, many organisations do not have a process for conducting personal information impact assessments or have policies or procedures in place to deal with data subject access requests. Many organisations either do not have PAIA manuals in place or their manuals are outdated and do not take the changes into consideration brought about by the latest regulations promulgated in terms of PAIA. In addition, existing incident response plans are often impractical and do not adequately address cyberinsurance and the interaction between the notification requirements under Popia and the Cybercrimes Act, 2020.

Data subject rights requests

Many organisations fail to understand how to balance the rights to access information in terms of Popia and PAIA and the grounds for refusal of such requests. This may lead to complaints to the regulator.

Risk assessments

While Popia requires that information officers conduct a preliminary risk assessment, the reality is that businesses evolve with time, and risks assessments concluded a year ago often don’t reflect the reality of the organisation’s processing activities. This is a major compliance gap.


Would you like to comment on this article?
Register (it's quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.

Commenting is subject to our house rules.