Exploring compliance with the protection of Personal Information Act : implementation considerations in small software development companies in South Africa

Abstract

This study explores the challenges relating to protection of personal information (POPI) compliance within a small software development company. The aim of study is to uncover these challenges and provide guidelines that could assist other small software development companies. Fines of up to ten million rands could be imposed on companies that do not comply. The researcher’s experience as a software developer and as an information technology manager, coupled with preliminary studies, revealed that companies have not yet started to prepare for when the Protection of Personal Information Act, No. 4 of 2013 (POPIA) comes into full effect. A review of pertinent literature had themes Consent, Data Officers, Deletion of Personal Information, Policies, and Technical Measures emerge. Consequently, the following research question was formulated, “What implementation guidelines should be considered by SMEs to promote compliance with POPIA?” Two sub-research questions were required to answer the main question. These are Sub-Question 1, “What are current challenges that small and medium enterprises (SMEs) could face when implementing POPIA compliance?” and Sub-Question 2, “How can POPIA compliance implementation challenges be met?” To answer the research questions, the following research design and method were used. A multi-method design was used in an exploratory case study. The methods used in the study incorporate interviews and surveys. Findings suggest that companies will have challenges relating to POPIA compliance. Recommendations include that companies review existing legislative requirements and ascertain if POPIA impacts them in any way, and that staff should receive training on cyber security in the workplace. Furthermore, companies should secure information technology infrastructure, including any software and data, and should have frequent penetration tests conducted by an independent organisation. In addition, company policies should include protection of personal information. Lastly, information technology teams should identify and document threats that could compromise personal information. The study found that POPIA impacts companies subjectively and therefore a recommendation for future research is that similar studies be conducted in various companies to determine the impact POPIA compliance will have. Furthermore, the possibility of an independent body that issues POPIA compliance certificates should be researched.