Loading...
Exploring compliance with the protection of Personal Information Act : implementation considerations in small software development companies in South Africa
Author(s)
Theys, Marvin Walter
Date Issued
2020
Type
Thesis
Publisher
Cape Peninsula University of Technology
Abstract
This study explores the challenges relating to protection of personal information (POPI)
compliance within a small software development company. The aim of study is to uncover
these challenges and provide guidelines that could assist other small software development
companies. Fines of up to ten million rands could be imposed on companies that do not
comply. The researcher’s experience as a software developer and as an information
technology manager, coupled with preliminary studies, revealed that companies have not yet
started to prepare for when the Protection of Personal Information Act, No. 4 of 2013 (POPIA)
comes into full effect. A review of pertinent literature had themes Consent, Data Officers,
Deletion of Personal Information, Policies, and Technical Measures emerge. Consequently,
the following research question was formulated, “What implementation guidelines should be
considered by SMEs to promote compliance with POPIA?” Two sub-research questions were
required to answer the main question. These are Sub-Question 1, “What are current
challenges that small and medium enterprises (SMEs) could face when implementing POPIA
compliance?” and Sub-Question 2, “How can POPIA compliance implementation challenges
be met?” To answer the research questions, the following research design and method were
used. A multi-method design was used in an exploratory case study. The methods used in the
study incorporate interviews and surveys. Findings suggest that companies will have
challenges relating to POPIA compliance. Recommendations include that companies review
existing legislative requirements and ascertain if POPIA impacts them in any way, and that
staff should receive training on cyber security in the workplace. Furthermore, companies
should secure information technology infrastructure, including any software and data, and
should have frequent penetration tests conducted by an independent organisation. In addition,
company policies should include protection of personal information. Lastly, information
technology teams should identify and document threats that could compromise personal
information. The study found that POPIA impacts companies subjectively and therefore a
recommendation for future research is that similar studies be conducted in various companies
to determine the impact POPIA compliance will have. Furthermore, the possibility of an
independent body that issues POPIA compliance certificates should be researched.
compliance within a small software development company. The aim of study is to uncover
these challenges and provide guidelines that could assist other small software development
companies. Fines of up to ten million rands could be imposed on companies that do not
comply. The researcher’s experience as a software developer and as an information
technology manager, coupled with preliminary studies, revealed that companies have not yet
started to prepare for when the Protection of Personal Information Act, No. 4 of 2013 (POPIA)
comes into full effect. A review of pertinent literature had themes Consent, Data Officers,
Deletion of Personal Information, Policies, and Technical Measures emerge. Consequently,
the following research question was formulated, “What implementation guidelines should be
considered by SMEs to promote compliance with POPIA?” Two sub-research questions were
required to answer the main question. These are Sub-Question 1, “What are current
challenges that small and medium enterprises (SMEs) could face when implementing POPIA
compliance?” and Sub-Question 2, “How can POPIA compliance implementation challenges
be met?” To answer the research questions, the following research design and method were
used. A multi-method design was used in an exploratory case study. The methods used in the
study incorporate interviews and surveys. Findings suggest that companies will have
challenges relating to POPIA compliance. Recommendations include that companies review
existing legislative requirements and ascertain if POPIA impacts them in any way, and that
staff should receive training on cyber security in the workplace. Furthermore, companies
should secure information technology infrastructure, including any software and data, and
should have frequent penetration tests conducted by an independent organisation. In addition,
company policies should include protection of personal information. Lastly, information
technology teams should identify and document threats that could compromise personal
information. The study found that POPIA impacts companies subjectively and therefore a
recommendation for future research is that similar studies be conducted in various companies
to determine the impact POPIA compliance will have. Furthermore, the possibility of an
independent body that issues POPIA compliance certificates should be researched.
Additional information
Thesis (MTech (Information Technology))--Cape Peninsula University of Technology, 2020
File(s)![Thumbnail Image]()
Loading...
Name
Theys_Marvin_210184043.pdf
Size
3.79 MB
Format
Adobe PDF
Checksum
(MD5):8ddc7f7ce3bcb9605dd6f6beefcb9cdb