The Protection of Personal Information Act (POPIA) has evolved considerably since it was first put into practice four years ago.
In 2024, the Information Regulator (IR) intensified enforcement, issuing at least seven enforcement notices for non-compliance to several well-known companies. South African organisations reported 980 security compromises to the Information Regulator as of April 2024 and some of the fines paid were upwards of R5 million.
However, despite this surge in complaints and hundreds of incidents reported every month, companies remain hesitant and significantly non-compliant.
As Neda Smith, founder and CEO of Agile Advisory Services, explains, this isn’t due to a lack of resources or awareness, but rather is the result of a deep-rooted misunderstanding of what POPIA demands from the business – and who is ultimately responsible for meeting these demands.
“Too many executives treat POPIA as a tick-box exercise or a problem the IT department has to solve,” says Smith. “But data privacy isn’t a technical issue, it’s a business risk which touches every part of the company.”
The central tenet of POPIA is that it requires companies to protect personal information. This information ranges from ID numbers and email addresses to employee data and supplier contracts. Unlike other compliance frameworks, however, POPIA isn’t static. It is a living Act and requires constant vigilance to ensure the organisation remains compliant, and it asks for a deeper shift within the culture of the business itself. People within the organisation need to understand their role in upholding compliance, and leadership needs to go beyond just appointing an Information Officer and publishing a privacy policy.
The law is underpinned by eight principles: accountability, processing limitation, purpose specification, further processing limits, information quality, openness, security safeguards and data subject participation. Out of these principles, the security safeguards are perhaps the most misunderstood.
“Security is where the law meets reality,” says Smith. “It isn’t about having the right firewall or endpoint protection. It’s about knowing where your data rests, who can access it, and what happens when something goes wrong, such as a breach or unauthorised access.”
While IT teams manage firewalls and access controls, POPIA breaches often start somewhere else. The HR team stores outdated CVs and the marketing department uses unvetted lead generation tools. Even everyday activities, such as emailing spreadsheets with personal data or using WhatsApp for client conversations, can present a risk.
These small pockets of risk are most often created by the employee’s use of shadow IT. The unapproved tools and processes which live outside formal governance but still make use of personal information. As Smith highlights, the business can’t protect what it doesn’t even know it has.
“If data is being shared on personal Dropbox accounts, for example, or copied onto USB sticks, no software in the world can make you compliant,” she says.
The causes of non-compliance are the result of multiple factors, but some of the most common include the internal mishandling of data such as lost laptops, misdirected emails or untrained staff clicking phishing links. Companies need to rethink how they manage and consider the data.
“It’s important to adopt a pragmatic approach where the business uses proven frameworks, such as the security frameworks controls, to integrate POPIA into broader governance models,” suggests Smith. “That said, technology is only part of the solution as there is no single tool that will make you compliant. DLP platforms, endpoint protection, and user access controls are helpful, but without clear policies and staff training, these become expensive window dressing.”
A compliant security posture rests on two pillars – control and visibility. Companies need a full map of their data flows that shows where the data comes from, how it moves, who touches it, and when it leaves. Every department should own its data with IT protecting it. This requires a robust Data Ownership Policy, role-based access control and a tested incident response plan.
At a minimum, organisations should implement the following technical and organisational controls:
- Multi-factor authentication
- Regular data backups
- Encryption in transit and at rest
- Endpoint protection
- Annual staff awareness training
- Register their Information Officer with the Regulator
- Publish and maintain a transparent privacy policy
- Develop and update their PAIA manual
- Implement strict data retention and destruction policies
- Map and classify all personal data, including paper-based records
- Create internal champions to drive privacy in each department
- Include specific data privacy clauses in all vendor contracts
“With the Information Regulator’s ePortal now in place for breach reporting, companies must be ready to act swiftly when something goes wrong,” says Smith. “One of the biggest blind spots in POPIA compliance is culture. It’s easy to draft a privacy policy but much harder to create a work environment where privacy is respected and protected by default.”
Companies need to truly align their security practices with POPIA requirements and prioritise earning and keeping the trust of customers, employees and partners. And security is the very foundation of that trust.