Many organisations, in preparation for the commencement of the Protection of Personal Information Act No 4 of 2013 (“POPIA”), have commissioned and drafted world-class organizational data protection policies and implemented POPIA compliance programs to ensure compliance with POPIA on 1 July 2021. Now that the dust has settled and some time has passed, organizations should remember that without ongoing employee training and awareness, the positive impact and effectiveness of these data protection policies and programs remain limited, or worse, non-existent. As a result, there is a real risk that organizations may be at risk of suffering a security compromise (ie data breaches) and/or be at risk of non-compliance with the principles for legal processing under POPIA.

One of the requirements under POPIA is to establish adequate technical and operation measures for the protection of personal information. It is well understood that the operational measures implemented in the organization must be adhered to by employees.

While “data protection” may not be in everyone’s job title, each employee must be aware of their specific role in ensuring personal information is processed by an organization, and in particular by themselves, is secure and legally processed. Even though we may associate legal, information technology, compliance and human resources roles more with the duties relating to data protection, in truth, most data processing activities occur in the day-to-day operations of an organisation, which are in effect managed and conducted by all employees. In other words, employees are at the coalface of data protection in an organization.

What qualifies as sufficient employee training?

It is likely that organizations will have provided initial training to their employees on their compliance obligations, the organization’s obligations under POPIA, the organization’s data protection policies and the organization’s applicable POPIA compliance programme. It must be remembered that it takes time and practice to instil a culture of data protection and privacy within the workplace and if this training is a once-off exercise, all such well-intended policies and procedures adopted by the organization will not be effective in reducing an organization’s risk of suffering data security incidents, data breaches and/or security compromises. Further, the acts of non-compliance of employees may also cause the organization to be in breach of its obligations for legal processing under POPIA. It is therefore incumbent upon organizations to conduct and maintain ongoing training and awareness programmes, which include vigilance and compliance testing of employees. While ongoing training and testing may seem like a burdensome investment to make, it is critical and such investment may prevent a greater economic and reputational risk materialising.

This is because in an organization’s data protection arsenal, employees are an organization’s first line of defense, but can also be its greatest weakness.

As the threats to organizations are constantly evolving, it is crucial that any compliance training provided to employees relating to data protection policies and measures, which form part of the organization’s POPIA compliance programme, is ongoing and regularly updated. For example, the data protection training and procedures put into place pre-COVID may be insufficient now that many employees are working remotely on a hybrid or full-time basis. Further, many employees may be unaware that when they connect to open networks when working at coffee shops or other public spaces, that their information is more susceptible to hackers.

In addition to ongoing training, some ongoing compliance measures and/or assessments which an organization can implement to help its employees raise their awareness of data protection compliance standards required in the workplace include:

  • implementation of a clean desk policy, to ensure that physical documentation which contains personal information is not left unattended on employees’ desks;

  • check and report on how often employees do not lock their computers when they step away from their desks;

  • regular tests which gauge employee alertness to scams or phishing attempts (for example, IT sending fake phishing attempts to employees over a period of time to assess their ability to identify and respond to such attempts);

  • restrict employees using complimentary USBs. To save and transfer the organisation’s information, employees should only be using USBs provided by their organization or purchased themselves for work purposes and should ensure that applicable encryption measures are used for such storage devices;

  • conduct data breach simulations to gauge employee readiness in responding to security incidents. It is critical that employees understand who their point of contact is in the case of a data breach. There are certain notification requirements applicable to data breaches and there is, therefore, no room for delay due to confusion about procedure.

There are a host of other measures organizations may implement, and we have therefore only mentioned a few herein. It should be cautioned that each organization should adapt applicable measures to the activities and apparent risk of the organisation, considering its operations.

Recently, it was reported that TransUnion suffered a data breach as a result of a cybersecurity attack. It was alleged that the hackers responsible for the TransUnion data breach were able to access 54 million personal records of South Africans because the employees (whose accounts were breached) made use of weak passwords (ie, “password”) for their user accounts. This recent cyber-attack brings to the fore how employee non-compliance with data protection standards and/or behavior may result in serious repercussions for an organisation, of both a reputational and potentially financial nature. The consequences of not having employees who are well-versed in practical day-to-day data protection practices are dire. Investing in ongoing employee training and testing is investing in the data security of the organisation.

Key Takeaways

  • Data protection policies will be ineffective in avoiding data breaches without effective and ongoing employee training and awareness;

  • Employees are, simultaneously, an organization’s most powerful asset and greatest weakness in an organization’s data protection compliance program and data breach/cybersecurity incident prevention program;

  • Ongoing training of employees is crucial to instilling a culture of data protection and privacy in any organisation.

Related Posts