PoPIA complexity cited as reason for non-compliance by more than half of SA organisations

On 1st July of this year, the most important elements of the Protection of Personal Information Act (PoPIA) came into effect. For the general South Africans, it likely meant sifting through email inboxes to unsubscribe from services you never realised you were signed up for.

From the business perspective, however, the issue of PoPIA compliance has been far more hairy, with the scramble before the deadline not helping things either.

Looking into PoPIA compliance post 1st July, storage and information services firm Iron Mountain, conducted a survey taken by 397 professionals from the software and technology sector, healthcare, telecommunication, education, government and various other industries.

Multiple approaches

The findings of the survey were unpacked by Iron Mountain this week, making for interesting reading as it found that 58 percent of SA organisations identified complexity of PoPIA as a top concern for being non-compliant.

Diving deeper into compliance, the survey revealed that organisations all took varying approaches, particularly as it pertains to assigning responsibility.

“Most organisations, 28.7%, left the responsibility for compliance to senior management, whilst 18.4% opted to place the responsibility with IT departments, 12.8% gave responsibility to their legal departments and only 14% chose to build a dedicated POPIA team,” explains the Iron Mountain survey.

Perhaps that is why many organisations were not or were only somewhat prepared once PoPIA came into effect, according to the responses from the survey.

“Organisations were also at different levels of preparedness before POPIA came into effect. The majority of respondents, 45.1%, were well prepared for compliance, 42.6% were somewhat prepared but should have been more prepared, 6.5% didn’t know their state of compliance and 5.8% were not prepared at all,” the Iron Mountain feedback adds.

Digitally dependent

As for the type of compliance measures, much of it depended on the level of digitisation that an organisation found themselves in. Naturally, the further along the digital transformation journey an organisation was, the better measures that were put in place.

“67.8% of organisations were at advanced (41.5%) and expert levels of digitisation (26.3%). 25.2% were at intermediate level and 7% had not started their digitisation journey,” the survey bore out.

As with anything piece of legislation that impacts business, it ultimately comes down to the level of ownership that those running the business want to take, Iron Mountain has discovered.

“POPIA compliance comes down to organisations taking ownership of their database and personal information. Companies should ensure that employees in different departments understand the risks and steps needed to safeguard internal and external data. They should identify any possible gaps in their safeguards, understand where data is from and where it is stored, and companies need customer consent to use information for marketing purposes,” emphasises Etienne Kruger, Risk and Compliance manager at Iron Mountain.

With the first fines over PoPIA non-compliance yet to be dished out by the Information Regulator, we suspect that many an organisation will be happy to coast along as is.

[Image – Photo by Dan Asaki on Unsplash]


About Author


Related News