Home » Opinion » Opinion piece: Why data protection must become part of an organisation’s culture

Opinion piece: Why data protection must become part of an organisation’s culture

By Imraan Kharwa, Data protection officer at Infobip

For years the privacy sword of Damocles hung precariously over South African businesses, threatening severe consequences and penalties for non-compliance with the Protection of Personal Information Act, 2013 (“POPIA”). Now, nearly a year since it activated in July 2021, organisations are settling into the reality of conducting business in alignment with its regulations and data protection best practices. While many organisations have placed compliance at the core of operations, there has sadly been a surge in data breaches impacting South African businesses in the same period, creating a climate that is ripe for POPIA enforcement.

The first anniversary of POPIA

POPIA governs the processing of personal information of individuals and juristic entities (“Data Subjects”) by organisations (“Responsible Parties”) in South Africa. regulates the processing of personal information of individuals by organisations from collection, aggregation and usage all the way through to retention and destruction.

Encouragingly, the Information Regulator, empowered to monitor and enforce compliance with the provisions of POPIA, has been active in engaging with organisations that have experienced data breaches over the past 12 to 18 months. The added scrutiny means organisations must be far more cognisant of how they process personal information, ensuring that  their security controls are adequate and effective.

Gateway to international arena

While compliance has historically been viewed as an administrative burden, many organisations now realise that privacy enablement is no longer a ‘nice to have’ but a valuable necessity of being able to do business. In tandem, technology companies are ensuring privacy forms a key part of their offerings.

The role of the Information Officer

The mandatory appointment of an Information Officer in all organisations remains one of the more contentious aspects of POPIA. Without clear guidance on where this role needs to be positioned, organisations have adopted differing approaches. In practical terms, this is often driven by the size of the organisation, the resources at its disposal and the level maturity of its data protection programme.

Whereas smaller organisations are likely to appoint a multitasker, where the role of Information Officer will be added to the existing headcount in the business, larger arge organisations are more likely to hire a full-time candidate who will be dedicated to the role and oversee a discrete data protection function.

A seat in the boardroom

As more organisations begin to recognise the impact of data protection, both fiscally and reputationally, –privacy has become a business imperative requiring executive input. This often becomes the preserve of Chief Information Officers, but there is an increased focus on appointing experienced Chief Privacy Officers with specialised skills in ensuring POPIA protocols are followed.

Attention to third parties

One of the biggest challenges for local organisations is the lack of attention to privacy risks associated with third parties. As operators in the POPIA relationship, they must also play their part in preventing security compromises. It is therefore imperative to consider the reputation of the third party, the maturity of their privacy programme and whether they employ suitably qualified and certified privacy and security personnel to oversee their operations.

A final, overarching component of the compliance journey is ensuring that awareness of data protection obligations and privacy rights permeate all levels of the organisation through regular privacy training. Privacy training must be regularly conducted, departmental based and appropriate to the organisation. The adage “privacy is everyone’s responsibility” holds true, which is why organisations must improve accessibility to data privacy practices and ensure all employees are cognisant of the privacy regimes within their organisation. Data protection must become part of the living culture of all organisations.

To enquire about Cape Business News' digital marketing options please contact

Related articles

POPIA, PAIA online portals go live

The Information Regulator has established online portals for public and private bodies to use to submit their Promotion of Access to Information Act 2...

Lack of awareness around legislation putting businesses in SA at risk of data breaches

More than three-fifths ofsmall and medium enterprises (SMEs) surveyed and a third of larger organisations in South Africa surveyed believe the Protection of Personal...


Over R100-billion to be invested in data centres in South Africa 

By Larry Claasen Amazon Web Services (AWS) plans to invest R46-billion in Cape Town by 2029. THE setting up of hyperscale data centres in South Africa...


Cape Business News
Follow us on Social Media