Cape Town - A recent survey has raised concern about a lack of awareness among South African organisations about the legal requirements around storing and disposing of confidential data outlined in the Protection of Personal Information (Popi) Act.
More than three-fifths of small and medium enterprises (SMEs) surveyed and a third of larger organisations in South Africa surveyed believe Popi does not apply to their business, according to the first South Africa State of the Industry - Information Security report conducted by research body Ipsos on behalf of information security company Shred-it.
Findings of the survey, which was launched on Friday last week, show C-suite executives (70%) are more likely than SMEs (37%) to understand the implications the Popi Act has on their business. Although the act is yet to be fully implemented, once it comes into force businesses are given a grace period of just one year to comply.
Organisations which do not adopt the act after this time could face financial penalties of up to R10m, or a prison sentence of up to 10 years.
Nearly half (46%) of C-suite executives and one-third (32%) of SMEs say the Popi Act will put pressure on their organisation to change their policies related to information security. Despite this, one-third (32%) of SMEs say they currently have no protocol for storing and disposing of confidential data.
By contrast, C-suite executives are more likely to have policies in place, with over half (57%) saying they have a protocol that is strictly adhered to by all employees. However, a further third (37%) with a policy in place admit that not all employees are aware of these protocols.
This highlights a worrying gap in knowledge for employees, resulting in personal information potentially being compromised as they are unaware of how to correctly protect, process and securely dispose of data.
Just half of C-suite executives (55%) and SMEs (51%) say client/customer information would threaten the stability of their organisation in the event it was stolen, which is concerning as this information is often confidential and the loss of this data could cause significant legal, financial and reputational damage.
Likewise, only 37% of C-suite executives and 22% of SMEs note that the theft of HR/employee information would be damaging, despite the fact that this often contains highly sensitive personal information about individuals, highlighting a lack of knowledge from South African businesses around what information could put them at risk.
Businesses can increase security by implementing a Clean Desk policy, which means all information must be secured, for example in a locked drawer, when an employee is away from their desk, and a Shred-it All policy, which means that all office paperwork is destroyed before being recycled.
Some companies have already responded to these security risks, with 80% of C-suites and 64% of SMEs stating that they have a Clean Desk policy in the workplace.
Tom Bell, regional manager at Shred-it South Africa, said: "Understanding the legislative environment is crucial for businesses in South Africa to ensure they are implementing best practices to safeguard the confidential information of their customers, employees and partners. However... organisations are not prioritising this, nor are they putting policies in place to help employees understand how to securely store and dispose of sensitive data.
"By neglecting to put policies in place, businesses are at serious
risk of a data breach, which causes significant legal, financial and
The survey results indicate a
need for government to take action and help South African businesses understand their information security priorities, with both C-suite respondents (47%) and
SMEs (55%) saying government commitment to information
security needs improvement.