Time is running out for organisations to comply with South Africa's Protection of Personal Information Act, but the right technology can help streamline the process.
With only five months until the grace period for POPIA compliance comes to an end, our Chief Technology Officer Willem Malan, Cloud Security Architect Neil du Plessis, and Modern Workplace Architect Pieter Neethling explore the challenges before South African organisations, and the technological solutions available to address them.
South Africa’s Protection of Personal Information Act (POPIA) is designed to ensure that private, public, and governmental organisations behave lawfully and responsibly when processing personal information. Signed into law on 19 November 2013 by then-president Jacob Zuma, and gazetted on 26 November 2013, POPIA is a key piece of privacy legislation.
Certain sections of the Act became effective on 11 April 2014, and last year, President Cyril Ramaphosa announced commencement dates for the others. There is a 12-month grace period for compliance with the sections of POPIA that commenced on 1 July 2020, meaning organisations have until 30 June 2021 to put the appropriate measures in place.
“Right now, POPIA compliance should be at the top of the to-do list for every business,” says Willem Malan, our Chief Technology Officer. “And it’s absolutely critical if you haven’t yet begun, because the journey towards compliance is not simply a box-ticking exercise. POPIA requires a fundamental shift in terms of how you deal with personal information, and for many enterprises, that will involve a deep dive into their methods of gathering, processing, and safeguarding data,” he explains.
The challenges of preparing for POPIA
By October 2020, around 30% of South African organisations considered themselves well-prepared to meet their compliance obligations under POPIA, according to a local survey. Simultaneously, 39% said they were partly ready, while 14% had only just started planning, and 8% had not conducted any preparations at all. The disparity is striking, but perhaps not surprising, observes Malan. “For years, there’s been a general awareness about POPIA. It certainly has been one of the most talked-about governance issues in the corporate sphere. But there’s a gulf between acknowledgement and action, and I think that has been a stumbling block for business teams.”
Without prescriptive guidance from the Information Regulator, stakeholders have had to figure out their own POPIA road maps, continues Malan. “They’ve had to get to grips with the law and its specific requirements, before crafting their compliance strategies. That was a significant challenge prior to the coronavirus pandemic, given the time and resources needed. And it’s an even more daunting task now, when organisations are recovering from the impact of the COVID-19 lockdowns, and recalibrating for the new world of work. Considering the extraordinary circumstances of 2020, it’s no wonder only about a third of businesses felt on track to achieve POPIA readiness in time,” he adds.
Neil du Plessis, our Cloud Security Architect, notes that POPIA’s incremental rollout may have dampened the sense of urgency initially seen in boardrooms. “When the Act was promulgated in 2013, it was a wake-up call for everyone. Conversations quickly turned towards compliance, and organisations began to formulate their policies and procedures. But as the years went by without official time frames for POPIA implementation, there seemed to be a loss of momentum at the corporate level. In the absence of concrete deadlines, the impetus for swift, comprehensive action appeared to fade. And now, many businesses are under pressure to expedite their POPIA programmes to meet the mid-year target.”
As the countdown intensifies, organisations also have to make sure that the compliance process is driven forward successfully. POPIA’s diverse requirements necessitate a multi-disciplinary approach, says Du Plessis. “From technical controls to record-keeping measures, the Act outlines parameters for lawful data-handling. Compliance, however, is not exclusively an IT issue or a human resources issue to address, and it cannot be delegated to a single department. POPIA has business-wide implications, and the business response should reflect that,” he says.
Malan agrees. “Data protection is a critical obligation, and businesses cannot outsource their accountability. They are responsible for their own compliance. And they have to answer for how they collect and use personal information. It’s important to look at the enterprise holistically, and to plan and monitor efforts in line with POPIA. It also makes sense to leverage available technology to streamline the process,” he says.
Cloud-powered technology at your fingertips
Microsoft Compliance Manager, a relatively new feature in the Microsoft 365 compliance centre, is already being embraced by BUI customers. “It’s such an intuitive, user-friendly platform,” remarks Pieter Neethling, our Modern Workplace Architect. With pre-built assessments for common information security standards like ISO 27001:2013 and custom assessments for POPIA and similar laws, it’s simpler to benchmark and monitor compliance status, as far as it relates to the use of Microsoft cloud services on Microsoft 365 or Azure Active Directory.
“With Compliance Manager’s centralised dashboard, you can perform real-time assessments of your estate, and get the detailed insights you need to strengthen your compliance capabilities,” continues Neethling. “That level of visibility – combined with step-by-step guidance to address shortcomings, and tools to record and track progress – makes Compliance Manager a robust solution for customers,” he says.
The platform also serves as an evidence repository for supporting documentation, and enables project teams to organise and unify their compliance initiatives. “You can drill down to view and manage individual tasks, evaluate progress, generate audit-ready status reports, and understand your overall compliance posture at a glance. The functionality is right there, at your fingertips,” explains Neethling.
Du Plessis adds that Compliance Manager brings order and scalability to organisational compliance efforts. “It can be overwhelming when you’re confronted with large environments of users, devices, and applications to assess, but Compliance Manager removes the burden by categorising and prioritising required actions. The assessments can be mapped and scaled for your particular business needs to help you manage compliance proactively and efficiently,” he says.
The Protection of Personal Information Act is clear about the costs of non-compliance: fines of up to R10-million. While the financial penalties are substantial, Malan believes there’s a greater cost for businesses that fail to comply with POPIA. “Organisations that do not take data privacy and data security seriously tend to suffer the consequences, sooner or later,” he argues. “And those consequences are usually very public and very damaging – sometimes irreparably so. In many cases, the cost of compliance paled in comparison to the cost of the resultant business disruption and reputational harm.”
Making sure that your enterprise is POPIA compliant is not only good business practice, but good for business too, continues Malan. “If you haven’t yet focused on your POPIA journey, then now’s the time to put in the necessary attention and effort. Now’s the time to get your internal systems, policies, and processes organised. Because as soon as you have that framework in place, you can concentrate on implementing the technological controls. And that’s fairly straightforward to accomplish, with practical help from a trusted partner,” he concludes.