Are your employees a liability with POPIA?
Over the past year, numerous businesses have designed and implemented data protection policies, as well as adopted Protection of Personal Information Act No 4 of 2013 ("POPIA") compliance procedures. Following the initial euphoria of POPIA, it is imperative that organisations continue with staff training and awareness, or the impact and effectiveness of these data protection policies and programmes may be lost or reduced. As a result, organisations will become increasingly vulnerable to security breaches and/or violations of POPIA's lawful processing rules.
The implementation of appropriate technical and operational safeguards for personal data is required by POPIA. Employees are obligated to behave in accordance with the company's operational standards.
Even while "data protection" might not be in the job description of every employee, they all need to be aware of their individual responsibilities regarding the protection of personal information and the lawful processing of it. Even while we integrate legal, IT, compliance, and HR duties with data security tasks, the majority of data processing still takes place in day-to-day operations, which are supervised and carried out by all employees. The employees of a firm are the first line of defence when it comes to protecting customer data.
There is a good chance that companies will have trained their workers on their compliance needs, as well as the company's POPIA obligations, its data protection policies, and its POPIA compliance plan.
To successfully instil a culture of data security and privacy in the workplace requires a significant investment of both time and effort. In the event that this training is a one-time event, the organization's well-intentioned rules and processes will not be able to lower the chance of data security incidents, data breaches, or security compromises.
Employee indifference is another factor that could lead to a violation of POPIA's legitimate processing requirements by an organisation. Continuous training and awareness programmes, including monitoring and compliance testing, are something that organisations are required to keep up with. It may seem like a burden to invest in consistent training and testing, but doing so might help mitigate potential financial and reputational losses.
As threats to organisations evolve, it's vital that any compliance training provided to staff relating to data protection policies and methods as part of the organization's POPIA compliance programme be ongoing and routinely updated. Pre-COVID data protection training and procedures may be insufficient today that many employees work remotely hybrid or full-time. Many employees may not realise that their information is more vulnerable when they connect to open networks in coffee shops or other public locations.
In addition to regular training, an organisation can establish ongoing compliance measures and/or evaluations to enhance employees' understanding of data protection compliance standards in the workplace.
· Clean desk policy to ensure staff don't leave personal documents unattended;
· Check how often employees leave their PCs unlocked; report.
· IT will periodically test employees' ability to recognise and respond appropriately to phishing scams by sending them fake phishing emails that look real.
· Limit employee USB use. To save and transfer company information, personnel should only utilise USBs given by their company or purchased for business and should verify that suitable encryption mechanisms are employed;
· Simulate data breaches to test employee preparedness. When a data breach occurs, employees must know whom to contact. Data breaches have notification standards, so there's no space for misinterpretation.
We've only covered a handful of the precautions organisations can take. Each organisation should adjust applicable measures to its operations, activities, and risk.
TransUnion disclosed a data leak due to a cyberattack. According to reports, cybercriminals were able to access the personal information of 54 million people in South Africa because employees gave their user accounts passwords that were too simple. This recent cyber-attack shows how employee noncompliance with data protection policies and/or behaviour can have reputational and financial ramifications for an organisation. Without data protection-savvy personnel, the repercussions are catastrophic. Investing in personnel training and testing increases data security.
Without continual employee training and awareness, data protection policies won't prevent data breaches.
Employees are a company's biggest asset and vulnerability in its data protection compliance and data breach/cybersecurity incident prevention programmes.
Instilling a culture of data protection and privacy in every organisation requires ongoing employee training.
Contact Ariscu to see how we can help you install a culture of compliance within your organisation.
Lexology: CMS South Africa: Role of employees in data protection, July 5, 2022