All staff should be regularly trained on their duties and responsibilities in terms of data protection. It is unfair to expect staff to comply if you do not properly enable and equip them to be able to do this.

You are required to hold regular internal training and awareness sessions in respect of the POPI Act, the Regulations, Codes of Conduct or information obtained from the Regulator.

Staff must have a solid understanding of your organisation’s and their own responsibilities, as well as the penalties for not following the rules.

Training should include, as a minimum:

  • How to identify personal information
  • what processing is
  • the requirements of the Protection of Personal Information Act, and how this applies to them and their work
  • what data may be collected and processed
  • permitted access, use and disclosure of personal information
  • security responsibilities in respect of data
  • retention and disposal policies

There are a variety of different methods you can use to deliver training. These will vary according to the training recipients, your organisation, and the content, so your program must be tailored to your specific needs. There are numerous methods to deliver training interventions:

  • Classroom based training can be highly interactive and is a familiar, comfortable environment for many people
  • Computer-based training is good for training on specific topics, as well as for reinforcement and training for persons working from
  • Roadshows and presentations are suited to introducing new subject matter, and for organisations with multiple
  • Videos provide a highly demonstrative medium for various topics and are very effective
  • Posters, screen savers provide visible and consistent reinforcement on generic and specific
  • Emails are good for reinforcement, for contact with remote staff and also to invite employees to training

The objective is to get staff into the habit of asking themselves the following questions and knowing the correct answers:

  • “What personal information do I work with or have access to?”
  • “What are the risks?”
  • “What are the policies, procedures and controls I must follow to manage the risks?”
  • “How do I comply”
  • “What are the consequences if I don’t comply”


An educated workforce is the main line of defence against threats in business. When staff join your organisation, they need to be clear about your policies and procedures, especially routine practices such as logging in and physical access to the building.

You can build on this ‘day to day’ security with more general training. Induction Training should include data protection and initial familiarisation with risks, such as viruses, hackers, fraudsters, software piracy, harassment, data protection issues, protection of information assets. Staff will also need to know routine information such as how to connect to company servers, change passwords etc, and who to ask when they need support. You should address areas such as:

  • PC security: how to carry out updates, switch on a firewall, prevent viruses and spyware.
  • Using a web browser safely, prevent pop-ups, avoid fraudulent sites, how to check that an e-commerce or banking transaction is encrypted.
  • Behavioural issues: physical security, hoax emails, phishing, passwords, fraud and identity theft and how to avoid them, what to do if there is a problem or uncertainty about
  • Business issues: data protection issues, employment law, contract law, protecting sensitive company information and avoiding software piracy.
  • Permissions for the use of personal information
  • Required disclosures
  • Identifying and dealing with data breach

Remedial training and company-wide reminders may be necessary in the light of a security incident or an emerging threat in the wider world.

Refresher training is valuable as reinforcement.

In each case, training should include an overview of the reasons why information security is important, including coverage of the threats and risks and an assessment to ensure the person understands what is expected and how to comply.

You should keep full records of all training done in a secure and confidential manner.