Why effective staff training is key to POPIA compliance

July 20th, 2021
Why effective staff training is key to POPIA compliance


The South African Protection of Personal Information Act is now in full effect, as of July 1, 2020. Companies and organisations in South Africa have been given a 12-month grace period, after which compliance will be enforced with the full effect of the law. It is essential that organisations take this chance to ensure they have set up everything they need to comply with the law - including staff training.

The POPI Act requires all organisations to protect the personal information of their customers. Failure to do so can result in serious penalties for the business, members of staff and management who neglected the enforcement of guidelines - including fines of up to 10 million Rand or jail sentences of up to 10 years.

What is POPIA?

POPIA is the Protection of Personal Information Act of South Africa. It was first passed by the South African Parliament in 2013 and came into force on 1 July 2020. From this date, companies have a year’s grace period before they can be penalised for failing to comply with the regulation’s stringent data protection requirements. POPIA applies to every single organisation and business in South Africa that collects, handles or stores personal information of customers or other individuals.

Why is security awareness training essential for POPIA compliance?

The POPI Act requires all organisations in South Africa to protect the personal information of customers. If a cybercriminal steals data from your company, and a judge rules that you didn’t have the right precautions in place to prevent it from happening, your company will be liable for the damages. This puts the responsibility for protecting data into the hands of businesses - and their employees. To protect organisations from liability, end users have to know why they need to protect personal information, and how they can do it in practice.

How should you carry out POPIA training?

Not all training is the same. To ensure that your end users are on board with doing their best to protect their organisation, you should keep training engaging, to the point, and full of actionable steps and goals for your end-users to meet.

Effective POPI Act training will...

» Make users aware of your organisation’s legal obligation to protect personal information

» Warn users about the potential penalties of failing to protection personal information, from fines and jail time to loss of trust from customers

» Educate users on all core security areas, from password hygiene and email security to the responsible use of removable devices

» Make training short and continuous, to keep it engaging and remind users year-round of their responsibilities

Staying secure with effective POPIA training solutions

The sad reality is that cybersecurity is an afterthought to most members of staff. While almost everyone knows the importance of passwords, in reality, security is often put to the side when work pressures and deadlines mount up. To prevent this from happening, you will need to build a security culture, where all end-users know and respect the importance of security.

With regular, bite-sized and engaging training, you can ensure that end-users are reminded of their responsibilities on an ongoing basis, as well as receiving advice on how to put security into practice in their day-to-day work lives. This should form the core of a security-minded culture, where security is a part of daily work life - and not an afterthought.

Find out more about how we can help you with POPIA compliance.