Are you looking for POPI Act training (or POPIA training, POPI training or eLearning) for people who actually process personal information? The POPI Act is a law in South Africa and many people need awareness training on it. Are you in the process of creating an awareness training programme? Various groups of people need to know different things about the POPI Act (target audience). For example:

  • People who actually process personal information as part of their daily work duties (like customer-facing employees) need specific training.
  • Sales managers and marketers need to know about the marketing aspects of the POPI Act (with a focus on direct marketing issues).
  • Call centre and helpdesk agents must know how to deal with customer queries and complaints.
  • IT managers and Information Security Officers need to know the implications for information security.
  • HR managers need to know how to protect the personal information of employees.

We can train your employees on POPIA to increase their awareness.

POPI Act awareness training must be suitable and specific to the audience. Different audiences need different training, and it is crucial to get that right. The training must be practical. It is essential that the training adds value to your organisation. Training that is relevant to your organisation and that will address your specific issues. Your employees’ time is valuable, and we want to ensure they spend it wisely. We contextualise our training and explain why people are attending and why things need to change (if things do need to change). Where do you start?

  • Who needs to be trained (your target audience)?
  • What outcomes do you want to achieve with the training (what should they know)?

Once you have identified this, you can decide how best to achieve it.

Format of the POPI Act training?

Online or in-person legal training? Some legal training is best done in-person. But online legal training also means that you save time on travelling and that you can pick the time and place that is most convenient for you to get trained. We can do either depending on your preference and general circumstances (for example, to prevent the spread of disease).

Live or recorded training? We offer both live and recorded POPIA training. Recorded training is sometimes referred to as eLearning. In particular, we have been doing lots of online live training recently.

We have a lot of content that can be presented in various ways. We use many different methods to train people, from videos, to assessments, to questionnaires, to exercises.

How we can help you with POPI training

  • Plan and manage your information security and privacy awareness and training programme by asking for our advice (we can workshop it with you or you can join our data protection programme and work through the module on managing an awareness training programme).
  • Raise awareness among your employees on specific issues by asking us to provide POPI Act training tailored to your organisation’s specific requirements.

What POPI training achieves

Our POPI Act training:

  • enables you to demonstrate to your customers and the Information Regulator that you protect personal information,
  • raises awareness amongst employees of their privacy responsibilities under the company Privacy Policy and how to reduce the risk of a privacy breach,
  • educates employees on the company policies (like an Acceptable Use of IT Policy),
  • integrates information-handling practices into day-to-day business activities,
  • sets up campaigns (e.g. posters, email) as well as “role-based” training.

Our training is aimed at different target audiences, as different target audiences have different needs on what they should be doing.

The Protection of Personal Information Act (POPI Act) requires that “appropriate, reasonable” measures be taken to protect information from loss, damage or unlawful access (as does the Payment Card Industry Data Security Standard and ISO 27001). This implicitly requires companies to provide training to help employees understand what those measures are (security experts often say that staff (insiders) are the biggest threat to personal information, and the list of breaches maintained by the Privacy Rights Clearinghouse is dotted with incidents resulting from employee mistakes). This is particularly important as the law requires the company to notify the Regulator and data subject of security breaches.

Who needs training?

There are four different groups of people (target audiences) who need different kinds of training.

  1. Governing body. Your governing body or exco need an executive briefing. This is typically done live – either in person or online. It is a short session of less than one hour. We deal with this in more detail in the module called getting governance right. They need a high-level specific level of awareness. The executives can read and watch the module, or someone in your organisation can use the module to present to the executives, or you can ask Michalsons to brief the executives.
  2. The officer. The person who is responsible for ensuring that your organisation complies with data protection law (possibly you). For example, this might be your legal adviser, compliance office, information officer or data protection officer. They need a much deeper level of awareness – that is what this data protection programme or our data protection workshop is for. This is also what our training for information officers is for.
  3. Divisional managers or champions. Your data champions, line managers, leaders or decision-makers who plan and implement controls to protect personal data. They too need a deeper level of awareness and again that is what this data protection programme or our data protection workshop is for. Each person needs to work through the modules that are relevant to them.
  4. Processors of personal data. The POPIA training described on this page is about raising the awareness of the people in your organisation who actually process personal information. Typically this is where e-learning comes into play and can be very useful. It is also worth noting that this data protection programme and our data protection workshop are not suitable for achieving this objective.

It is very hard to train the different target audiences all at the same time. Some will get bored and others will feel that the training was too high level. It really does make sense to have different sessions for the different target audiences.

POPI Posters

One idea to raise the awareness of POPI (and other IT laws like the ECT Act, or RICA) and the importance of protecting personal information is to put up posters. You can get a privacy awareness toolkit off the internet, but it is not specific to the POPI Act. We also provide a variety of posters for a specific IT or ICT Law (ECT Act, PAIA, POPI, or RICA) to raise awareness about the law. We can provide samples on request.