Many organisations, in preparation for the commencement of the Protection of Personal Information Act No 4 of 2013 (“POPIA”), have commissioned and drafted world-class organizational data protection policies and implemented POPIA compliance programs to ensure compliance with POPIA on 1 July 2021. Now that the dust has settled and some time has passed, organizations should remember that without ongoing employee training and awareness, the positive impact and effectiveness of these data protection policies and programs remain limited, or worse, non-existent. As a result, there is a real risk that organizations may be at risk of suffering a security compromise (ie data breaches) and/or be at risk of non-compliance with the principles for legal processing under POPIA.
One of the requirements under POPIA is to establish adequate technical and operation measures for the protection of personal information. It is well understood that the operational measures implemented in the organization must be adhered to by employees.
While “data protection” may not be in everyone’s job title, each employee must be aware of their specific role in ensuring personal information is processed by an organization, and in particular by themselves, is secure and legally processed. Even though we may associate legal, information technology, compliance and human resources roles more with the duties relating to data protection, in truth, most data processing activities occur in the day-to-day operations of an organisation, which are in effect managed and conducted by all employees. In other words, employees are at the coalface of data protection in an organization.
What qualifies as sufficient employee training?
It is likely that organizations will have provided initial training to their employees on their compliance obligations, the organization’s obligations under POPIA, the organization’s data protection policies and the organization’s applicable POPIA compliance programme. It must be remembered that it takes