The Protection of Personal Information (POPI) Act will affect all small businesses and entrepreneurs in South Africa.

Small business owners must put measures in place to adhere to local and international data protection laws and take responsibility for cyber security in their businesses, according to Osidon CEO Hennie Ferreira.


What is the current state of cyber security/data protection laws in South Africa? How do we compare to other countries?

The POPI Act is South Africa’s major data protection law, which came into effect on 1 July 2020. First implemented in 2013, the Act gives effect to Section 14 of the Constitution, which provides that everyone has the right to privacy.

Ferreira says the POPI Act changes the way all companies are required to treat personal information. These new laws are now in place and government, companies and organisations must adhere to them when they’re using or storing people’s personal information.

According to Ferreira, this legislation has serious teeth. Violations of the Act could result in fines or compensation for damages as high as R10 million. Companies have until 1 July 2021, to become compliant.

“This legislation should have been in place ages ago and will protect both consumers as well as small businesses and entrepreneurs. The POPI Act is not a legislative hurdle, nor is it a restrictive piece of legislation, it is crucial and business owners and entrepreneurs must embrace it,” Ferreira said.

According to Ferreira, the POPI Act is a step in the right direction to protect information and South Africa is one of the first countries implementing this legislation. He says the act is in line with the European Union law on data protection (General Data Protection Regulation) which came into effect on 25 May 2018.


How does the POPI Act affect small business? Which businesses will be affected?


All businesses are affected.

The Act sets out rules for the collection, processing, storage and sharing of someone else’s personal information and will hold institutions accountable if they misuse or compromise personal information.

According to Ferreira, direct marketing will be hardest hit, as people will now have to agree to be contacted. This means no more cold calls or voicemails from robots.

While data protection laws of many other countries exempt SMEs, this is not currently the case in South Africa, which Ferreira deems to be a good thing.

“Data protection and cyber security are issues as important and pressing as overpopulation and climate change. This legislation is the only way to ensure businesses and entrepreneurs take responsibility for data protection and cyber security,” Ferreira said.


How important is cyber security in an online/tech business world?

Protecting your business, in terms of data protection laws as well as cyber security, has never been more important.

According to Ferreira, the world becomes more technologically connected everyday. While this is not a negative development in itself, information can fall into the wrong hands. If hackers and malicious entities gain access to this information, it can cost huge amounts of money and even human lives.

“We must not be less connected, because technology and the Fourth Industrial Revolution have countless benefits. What is important is that cyber security does not lag behind. Like having an alarm installed in your house, cyber security has become a necessity,” Ferreira said.


How can businesses/entrepreneurs protect themselves and their information?

According to Ferreira, small business owners and entrepreneurs must focus on three basics to “de-risk” their business – he calls it Cyber Security 101.

Firstly, it is essential to do regular software updates on all devices, to prevent hackers from gaining access. “Don’t try to save on data costs by skipping updates. 80% of threats can be eliminated if updates are done regularly,” he said.

Secondly, ensure you use next generation, AI and machine learning empowered antivirus systems. “95% of traditional anti-virus programmes are outdated and 350 000 new viruses are created daily, rendering these programmes useless,” Ferreira said.

Finally, Ferreira urges small business owners and entrepreneurs to educate themselves regarding cyber security threats, especially social engineering attacks. 85% of cyber attacks originate through social engineering, such as phishing emails. “Our only defence against these attacks is awareness training, to empower people to know what threats look like and what to do when confronted with malicious activities,” he said.

Under the POPI Act, businesses will be compelled to prove they have these basics in place.