POPIA READINESS ASSESSMENTS OR GAP ANALYSIS PROJECTS – OUR APPROACH
Complete this checklist to see how prepared you are for the Protection of Personal Information Act, if you have not ticked all these boxes – contact our offices to set up an online consultation on how we can help your business get compliant.
Companies should consider the following while developing a sustainable Protection of Personal Information Act roadmap:
- Executive Sponsorship: The “complying with Protection of Personal Information Act” tone should be set at the top. The Board and/or management should be convinced that privacy and compliance to privacy legislation is necessary and essential.
- Stakeholder Consultation: The only people in an organisation or company who can drive compliance with POPIA are the decision-makers, the input-givers, people who will be affected and whose support will be necessary to start the compliance journey.
- Define Roles and Responsibilities: Who is responsible for ensuring the Protection of Personal Information Act compliance? Who will be appointed as the Information Officer (IO) and what will be this person’s role and responsibilities? Will the IO have a data governance team and what will the team’s responsibilities entail?
- Policy Development: Companies should create customised policies, procedures, standards and guidelines wherein it is recorded what is expected from employees and how these expectations can be met.
- Policy Implementation: Having an unimplemented policy or procedure is sometimes worse than having no policy at all. Policies should be implemented to assist the company with measuring compliance and setting out consequences for non-compliance.
- Monitoring and Auditing: If compliance with existing policies cannot be measured, it is impossible for the company to manage compliance.
- Continuous Improvement: Monitoring and Auditing compliance with company policies should lead to change. Continuous auditing and the findings thereof should mean something – this is the stamp on a sustainable POPIA programme.
- Change Management: Employees should be prepared and supported through change. Change management is integral in a POPIA programme. Protection of Personal Information Act demands change because in one way or another, it will change how most employees work. General awareness and training will unfortunately not have the necessary outcome – relevant training is what is necessary.
The 12 months “grace period” from 1 July 2020 (POPIA effective date) to 30 June 2021 should be utilised by companies to establish and implement a POPIA programme. After measuring a company’s Information Governance Maturity an estimate can be made as to when prioritised compliance with the Protection of Personal Information Act can be expected. The way in which information (all information, not just personal information) is governed should be effective before POPIA policies can be successfully implemented.
A complete POPIA programme includes several disciplines. Compliance with the Act will involve input, support and the buy-in of the entire business – legal, compliance, risk management and IT to name a few.
To embark on a POPIA programme the following 5 steps should be prioritised:
A risk based approach is necessary on the road to compliance. Companies should therefore identify and prioritise the activities that will pose the biggest risks in terms of POPIA.