Role of employees in data protection

South Africa

Many organisations, in preparation for the commencement of the Protection of Personal Information Act No 4 of 2013 (“POPIA”), have commissioned and drafted world-class organisational data protection policies and implemented POPIA compliance programmes to ensure compliance with POPIA on 1 July 2021. Now that the dust has settled and some time has passed, organisations should remember that without ongoing employee training and awareness, the positive impact and effectiveness of these data protection policies and programmes remain limited, or worse, non-existent. As a result, there is a real risk that organisations may be at risk of suffering a security compromise (i.e. data breaches) and/or be at risk of non-compliance with the principles for lawful processing under POPIA.

One of the requirements under POPIA is to establish adequate technical and operation measures for the protection of personal information. It is well understood that the operational measures implemented in the organisation must be adhered to by employees.

While “data protection” may not be in everyone’s job title, each employee must be aware of their specific role in ensuring personal information processed by an organisation, and in particular by themselves, is secure and lawfully processed. Even though we may associate legal, information technology, compliance and human resources roles more with the duties relating to data protection, in truth, most data processing activities occur in the day-to-day operations of an organisation, which are in effect managed and conducted by all employees. In other words, employees are at the coalface of data protection in an organisation.

What qualifies as sufficient employee training?

It is likely that organisations will have provided initial training to their employees on their compliance obligations, the organisation’s obligations under POPIA, the organisation’s data protection policies and the organisation’s applicable POPIA compliance programme. It must be remembered that it takes time and practice to instil a culture of data protection and privacy within the workplace and if this training is a once-off exercise, all such well-intended policies and procedures adopted by the organisation will not be effective in reducing an organisation’s risk of suffering data security incidents, data breaches and/or security compromises. Further, the acts of non-compliance of employees may also cause the organisation to be in breach of its obligations for lawful processing under POPIA. It is therefore incumbent upon organisations to conduct and maintain ongoing training and awareness programmes, which include vigilance and compliance testing of employees. While ongoing training and testing may seem like a burdensome investment to make, it is critical and such investment may prevent a greater economic and reputational risk materialising.

This is because in an organisation’s data protection arsenal, employees are an organisation’s first line of defence, but can also be its greatest weakness.

As the threats to organisations are constantly evolving, it is crucial that any compliance training provided to employees relating to data protection policies and measures, which form part of the organisation’s POPIA compliance programme, is ongoing and regularly updated. For example, the data protection training and procedures put into place pre-COVID may be insufficient now that many employees are working remotely on a hybrid or full-time basis. Further, many employees may be unaware that when they connect to open networks when working at coffee shops or other public spaces, that their information is more susceptible to hackers.

In addition to ongoing training, some ongoing compliance measures and/or assessments which an organisation can implement to help its employees raise their awareness of data protection compliance standards required in the workplace include:

  • implementation of a clean desk policy, to ensure that physical documentation which contains personal information is not left unattended on employees’ desks;
  • check and report on how often employees do not lock their computers when they step away from their desks;
  • regular tests which gauge employee alertness to scams or phishing attempts (for example, IT sending fake phishing attempts to employees over a period of time to assess their ability to identify and respond to such attempts);
  • restrict employees using complimentary USBs. To save and transfer the organisation’s information, employees should only be using USBs provided by their organisation or purchased themselves for work purposes and should ensure that applicable encryption measures are used for such storage devices;
  • conduct data breach simulations to gauge employee readiness in responding to security incidents. It is critical that employees understand who their point of contact is in the case of a data breach. There are certain notification requirements applicable to data breaches and there is, therefore, no room for delay due to confusion about procedure.

There are a host of other measures organisations may implement, and we have therefore only mentioned a few herein. It should be cautioned that each organisation should adapt applicable measures to the activities and apparent risk of the organisation, considering its operations.

Recently, it was reported that TransUnion suffered a data breach as a result of a cybersecurity attack. It was alleged that the hackers responsible for the TransUnion data breach were able to access 54 million personal records of South Africans because the employees (whose accounts were breached) made use of weak passwords (i.e., “password”) for their user accounts. This recent cyber-attack brings to the fore how employee non-compliance with data protection standards and/or behaviour may result in serious repercussions for an organisation, of both a reputational and potentially financial nature. The consequences of not having employees who are well-versed in practical day-to-day data protection practices are dire. Investing in ongoing employee training and testing is investing in the data security of the organisation.

Key Takeaways

  • Data protection policies will be ineffective in avoiding data breaches without effective and ongoing employee training and awareness;
  • Employees are, simultaneously, an organisation’s most powerful asset and greatest weakness in an organisation’s data protection compliance programme and data breach/cybersecurity incident prevention programme;
  • Ongoing training of employees is crucial to instilling a culture of data protection and privacy in any organisation.

Contact us if you require refreshing and conducting any data protection transaction programme and advice on practical ways to bring about awareness in the organisation.