Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      South Africa begins complex job of overhauling media laws

      13 July 2025

      Nvidia CEO to hold high-stakes media briefing in Beijing

      13 July 2025

      Blue Label Telecoms to change its name as restructuring gathers pace

      11 July 2025

      Get your ID delivered like pizza – home affairs’ latest digital shake-up

      11 July 2025

      EFF vows to stop Starlink from launching in South Africa

      11 July 2025
    • World

      Grok 4 arrives with bold claims and fresh controversy

      10 July 2025

      Bitcoin pushes higher into record territory

      10 July 2025

      Cupertino vs Brussels: Apple challenges Big Tech crackdown

      7 July 2025

      Grammarly acquires e-mail start-up Superhuman

      1 July 2025

      Apple considers ditching its own AI in Siri overhaul

      1 July 2025
    • In-depth

      Siemens is battling Big Tech for AI supremacy in factories

      24 June 2025

      The algorithm will sing now: why musicians should be worried about AI

      20 June 2025

      Meta bets $72-billion on AI – and investors love it

      17 June 2025

      MultiChoice may unbundle SuperSport from DStv

      12 June 2025

      Grok promised bias-free chat. Then came the edits

      2 June 2025
    • TCS

      TCS+ | MVNX on the opportunities in South Africa’s booming MVNO market

      11 July 2025

      TCS | Connecting Saffas – Renier Lombard on The Lekker Network

      7 July 2025

      TechCentral Nexus S0E4: Takealot’s big Post Office jobs plan

      4 July 2025

      TCS | Tech, townships and tenacity: Spar’s plan to win with Spar2U

      3 July 2025

      TCS+ | First Distribution on the latest and greatest cloud technologies

      27 June 2025
    • Opinion

      In defence of equity alternatives for BEE

      30 June 2025

      E-commerce in ICT distribution: enabler or disruptor?

      30 June 2025

      South Africa pioneered drone laws a decade ago – now it must catch up

      17 June 2025

      AI and the future of ICT distribution

      16 June 2025

      Singapore soared – why can’t we? Lessons South Africa refuses to learn

      13 June 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CambriLearn
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SevenC
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » Company News » Popia holds no fear for South African organisations

    Popia holds no fear for South African organisations

    By Micro Focus9 November 2020
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    After years of waiting for the Protection of Personal Information Act (Popia) to become law, many organisations are confident that they will meet its onerous regulations by the deadline.

    The act came into force at the beginning of July, and gives companies until June next year to be fully compliant. Most participants in a recent TechCentral C-Suite roundtable on Popia — sponsored by Micro Focus and VIC IT — were confident that they’re already far along the journey.

    The act sets out strict rules governing what organisations can and can’t do with information about their customers. It obliges them to take responsibility for it, and to use it only as needed, with heavy penalties for any breaches.

    Old Mutual didn’t need this new law to make it take privacy seriously, said Magan Naidoo, its head of data and information management. “We’ve always taken a responsible business attitude and haven’t waited for Popia. We’ve always had a privacy policy across the enterprise that covers our businesses in South Africa and outside South Africa,” he said. “Brand damage to a company like Old Mutual cannot be counted — it would be catastrophic. We have processes, teams and protocols in place already as standard practices for breaches and privacy issues.”

    Magan Naidoo

    A group-wide data protection team ensured that Old Mutual as a whole was compliant and had the necessary teams, policies and technology in place, he said. Each business unit also had its own information security officers, so Old Mutual was covered horizontally and vertically to ensure there were no gaps, he said.

    Even so, it was taking Popia extremely seriously and had made further huge investments in resources, processes, policies and management to ensure it would be fully compliant by next June, Naidoo added.

    Themba Mnguni, deputy director at the department of rural development & land reform, said they currently have an information officer and someone dealing with risk management, but because the departments of agriculture and rural development are merging, things are a little unstable. “It will be finalised as soon as possible but, currently there is an accounting officer who accounts for everything, and then responsibilities are delegated, in this case, to our risk officer.”

    Themba Mnguni

    Telecommunications company Vox was also a very good position to be ready by deadline, said Niel van Rooyen, its head of information security.

    Niel van Rooyen

    Some participants expressed their fears about being in the firing line if anything went wrong, however. Tourvest was currently in the process of appointing an information officer, said Imraan Kharwa, its head of information security. At the moment, the responsibility is all his.

    “My mandate extends to data privacy as well as information security, and it’s very likely that someone is going to wake me in the middle of the night in the event that we have a data breach because I’m responsible for our incident response and stakeholder management from a privacy and information security perspective. If anyone’s going to lose their job because of it, it’s likely going to be me.”

    Imraan Kharwa

    Investec’s data privacy officer, Janine West, said her organisation had an incident response team, and she’d be the one who got the call. An internal response team including the CIO and PR team would be alerted next to be on standby.

    Complying with Popia wasn’t necessary only to avoid the fines or a jail sentence that could be incurred for lapses, but for a reputation standpoint, too, West added. “You don’t want to be the company that has the reputation for not having good governance or controls in place.”

    But good governance had become harder with employees working from home during lockdown, as they needed more freedom for tasks like printing out documents. “You don’t know what happens with that data, or how it gets destroyed. There are no shredding machines in homes,” she said.

    Janine West

    As an international broadcaster MultiChoice has to comply with Europe’s GDPR requirements as well as Popia. Yet both should come naturally to any company that cared about its customers, said Morne Bosch-Serfontein, its chief data officer. “If you follow good customer principles a lot of this new legislation should be second nature. We began a few initiatives a couple of years ago to make sure we could deliver to our customers and commit to them that their information will be protected,” he said.

    Morne Bosch-Serfontein

    Various programmes were introduced and mock audits conducted to make sure that from a process perspective everything was governed. “We took it a step further and made this part of the company’s KPIs, and one of our strategic objectives is that we that we pass these audits and remain relevant to our customers by protecting the information,” he stressed.

    The Airports Company South Africa (Acsa) must also comply with GDPR as it deals with data from all over the world, said CIO Mthoko Mncwabe. The current challenge was to ensure its operations were Popia compliant in South Africa, since there were still a lot of gaps. “It’s quite a rush as we stand today, but I think we’ll meet the deadline,” he said. The responsibility for risk, compliance and security at Acsa is run through one programme across the group, with the executives of each business unit taking accountability for the data it owned, he said.

    Mthoko Mncwabe

    At Absa, data privacy was part of everybody’s job and not something that just one person was responsible for, said Ignus van Zyl, its lead security analyst and Africa Technology chief security officer. “Obviously we have teams that focus specifically on this, such as the privacy team, and we look at things like database security, and USBs, and whether they’re being used to move data through the bank,” he said. “We track all of this, because obviously we’re very worried about how our customer data is protected on a holistic level. But there isn’t really anyone working in the bank that doesn’t have some level of responsibility towards ensuring that Popia is properly implemented.”

    Ignus van Zyl

    It’s similar at Absa, where Juan Harmse heads a Converged Security Fusion Centre and deals with data-related issues and incidents in collaboration with the privacy officer. But everybody needed to take responsibility, too.

    “We have a dedicated education and awareness team that deals specifically with privacy-related training, and one of the regulations is a compulsory compliance training course that everybody has to do every year. We run security education and awareness programmes throughout the year, including compliance-based training and a video series we’ve recently launched.”

    Juan Harmse

    While all the roundtable participants were responsible for security and privacy, the ultimate accountability sat with the CEO, stressed Ritasha Kalidas, director of IT security, risk and governance at Tiger Brands. “Usually if you’ve had a breach, you will find yourself in front of a regulator. The regulator doesn’t want to talk to us very technical people, they want to talk to the owners of the information, and that ultimately sits with the CEO.”

    Ritasha Kalidas

    But C-suite executives weren’t accustomed to these types of conversations, and saw this as a security issue that the CIO or head of security should handle. For that reason, it was important to brief the CEO and the C suite very well if anything happened, so they could speak confidently, honestly and transparently about it, she said.

    Standard Bank’s head of information risk governance, Emmerentia du Plooy, said the value of a company’s information far transcended any monetary value. It was the lifeblood of a business and its processes. “If your information gets compromised, the impact to the various stakeholders is huge and the reputational damage can be devastating. It doesn’t really matter which industry you are in, because if you have broken that trust element with either your clients, stakeholders or partners you are in deep trouble.”

    Emmerentia du Plooy

    The medical aid administration company 3Sixty Health also recognises data and cybersecurity as critical. “We’re dealing with sensitive health information such as blood test results or health conditions, so we would never want a situation where that data has been compromised,” said CIO Tshepo Motshegoa. “We rely a lot on Popia, because a lot of key core functions we provide depend on third party partners.”

    Since 3Sixty Health handles the flow of data between doctors and other service providers, it must ensure it was secure and the parties it sent the data to were also secure. “We have put in place several fairly stringent cyber security clauses as well as mechanisms to ensure the safety of all data, as well as clauses to ensure that the correct people are liable in the event of an incident,” he said.

    Tshepo Motshegoa

    Security within the Glacier group was managed by a chief information security officer, and by various information security officers in the different business areas, said Evan Douman, its head of enterprise data management. As a company’s data awareness rose, so did its maturity towards the issue, he said. “We have to start defining where information security stops and starts, and where does it dive into a data governance or data management function.”

    Evan Douman

    The online company Bidorbuy had one individual looking after data privacy, and a couple of teams protecting all the customer data in a database, and destroying it when appropriate, said CTO James Ostrowick. “It’s a multifaceted discussion point when it comes to who owns data privacy and who owns the security behind that,” he said.

    James Ostrowick

    Sibanye Stillwater has about 100 000 employees, and holds a lot of personal medical information about them. Every employee goes through an intense medical, plus periodic tests and an exit check-up. Samuel Mokoena, its governance, risk and compliance manager, said the information went back and forth to medical aid providers, and the company had become quite good at security to prevent unauthorised access or hacking. “However, the challenge for us is how to ensure the people who are authorised to have access to our information are safeguarding it,” he said.

    Samuel Mokoena

    Liberty treated data security as a joint operation between a compliance office and a data chapter that controlled data governance, said Siyabonga Mabuza, the senior data governance specialist. They had regular meetings with infosec as well, to discuss progress around Popia and GDPR compliance for all entities within the Liberty Group. Typical discussions would be around data initiatives, or where they were struggling with the appointment of data owners, the classification of data, or the implementation of data loss prevention tools.

    Brett Skinner

    Advice from Micro Focus for what to prioritise over the next six months was to start by understanding what data you have, plus the potential impacts of non-compliance. Make sure you know what you have and enforce the security around it, said security sales manager Brett Skinner. “You’re always going to have delinquents inside your business, so the starting point has to be the framework of the Act itself. Understand the risks and know where your personally identifiable information (PII) resides.”

    Prischal Bahgoo

    Beyond that, this was a great opportunity to turn the expense of the necessary tools, technologies and training into an advantage, by making money out of the data once they better understood what they were holding. “A lot of people don’t understand what data they have and how they can monetise it,” he said.

    GM at VIC IT Consulting Prischal Bahgoo has the last word. To lead on to what Skinner said, everyone’s talking about where the buck stops, and losing their jobs, what would happen if we gave you the opportunity to say if you had a breach the data was devalued or de identified. That’s something to consider.

    • This promoted content was paid for by the party concerned


    Brett Skinner Emmerentia du Plooy Evan Douman Ignus van Zyl Imraan Kharwa James Ostrowick Janine West Juan Harmse Micro Focus Morne Bosch-Serfontein Mthoko Mncwabe Niel van Rooyen Prischal Bahgoo Ritasha Kalidas Samuel Mokoena Themba Mnguni Tshepo Motshegoa VIC IT
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleVirgin Mobile placed into business rescue
    Next Article Rich, integrated digital experiences: The catalyst for SA’s digital transformation

    Related Posts

    IT Leadership Series | Infobip DPO Imraan Kharwa

    5 April 2023

    Understanding the Modernization Maturity Model

    3 February 2023

    Achieving cost-efficient cloud content management

    6 December 2022
    Company News

    $125-trillion traded: Binance redefines global finance in just eight years

    11 July 2025

    NEC XON welcomes HPE acquisition of Juniper Networks

    11 July 2025

    LTE Cat 1 vs Cat 1 bis – what’s the difference?

    11 July 2025
    Opinion

    In defence of equity alternatives for BEE

    30 June 2025

    E-commerce in ICT distribution: enabler or disruptor?

    30 June 2025

    South Africa pioneered drone laws a decade ago – now it must catch up

    17 June 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.