Here six things that can be done to improve PoPIA readiness:
Everyone has to be aware of their responsibilities with regards to handling personal information and their roles when it comes to the safeguarding of personal information. People unfortunately are also the ones who react to phishing with emotion and make mistakes that can cost the business money and reputation and that can put critical data systems at risk.
People play a massive role in ensuring that the organisation remains PoPIA compliant, and the organisation remains secure and safeguarded.
They need consistent training and education so that their understanding of the threats can translate to the ongoing protection of information within the organisation, and to their own security hygiene practices as well.
The duties of the information officer include, amongst others, attending to the development and implementation of a compliance framework, ensuring that internal PoPIA awareness sessions are conducted and conducting assessments to identify any risks and necessary safeguards to the personal information that's processed.
This exercise can also be used to raise awareness and form part of an overall education drive, as it typically involves interviews with all major department heads. Once this is done, it should be followed with a privacy impact assessment (PIA), that identifies the risks and what could possibly go wrong in an environment.
It is a practical step that plays a pivotal role in embedding a more robust security foundation into the organisation. Part of the PIA would require a review of the security controls.
This will help refine the controls that are in place and identify what has to be improved on. For organisations that do not have these skills or systems in place, they can collaborate with a third party that can help conduct these types of risk assessments and reviews.
They are as much a target as the business, so if they have any vulnerabilities, they can put your organisation at risk. Just make sure that the boxes are ticked with every service provider, platform and system so you are secured and compliant.
These notices must be written in plain English and specify why the information is collected and how it is used so that consumers are informed and aware.
If there is a breach, who will notify the regulator, who will notify the customers and the media and what will employees be allowed to say – these are just some of the considerations that should be unpacked in advance to ensure the organisation is absolutely ready for whatever may be ahead.