POPIA – why you don’t need to panic (yet)
December 9, 2020
James George, Compliance Manager at Compli-Serve SA
When we think of POPIA legislation, a range of thoughts and emotions follow, from fatigue (fair enough, as we’ve been waiting for movement for many years) to feeling completely overwhelmed and panicked. The good news, however, is that you don’t need to worry… not just yet.
This is according to Elizabeth de Stadler of Novation Consulting speaking at Compli-Serve SA’s POPIA webinar in October. The 30 June 2021 deadline may be in the diary and inspires thoughts around the race being on to comply, but it’s not necessarily plausible that the regulator will be ready by that time either.
Covid-19 got in the way of the previous effective date, proving that life does happen when making other plans. This doesn’t exclude the regulator, but nor does it excuse you for putting your head in the sand. It’s essential to know where to put your energy, and in some cases, compliance should happen sooner than later.
This calls for a deep breath
“No one is POPIA compliant yet,” says Elizabeth.
Preparing for POPIA is going to take patience and persistence and the best way to manage it is to pick the most important area within your FSP to focus on. The trick is to avoid re-writing the entire playbook to be POPIA compliant. Work with the systems you have, says Elizabeth, and get them to POPIA alignment for a better outcome.
Following this sort of process will make it easier for all stakeholders and staff to transition; at least much more successfully than those feeling overwhelmed or ill-equipped. Trying to take on too much, addressing too many changes to come (by assessing where your business is in terms of POPIA compliance overall) can lead you to the deer in headlights analogy, with too much on the list to rectify. Don’t get knocked down – it’s about taking the baby steps to get there. But you need to actually take them and keep taking them, to keep up. It’s just not the intense rush you imagine.
With POPIA, it’s principles-based legislation, where you cannot adopt a ‘one size fits all’ approach. You need to adopt a risk-based approach instead, by first looking at the areas which pose the most POPIA risk in your organisation, and then adopting compliance management and risk mitigation strategies best suited to your organisation. The term ‘satisfactory’ appears 78 times in the current framework,” says Elizabeth, a self-proclaimed POPIA expert (“geek”). POPIA compliance is about finding the most reasonable measures to implement within your organisation currently, given your risks and available resources.
Proving your POPIA compliance is somewhat up for interpretation in some areas, but there are some steps that are ready for the taking, as you move closer towards complete compliance. Here are some top tips to try.
People are the problem and the solution
“POPIA is not an IT problem, it’s a people problem. Change management and training are essential,” she says. You’ll need to start there; getting buy in from everyone involved in how your business is going to need to change to reach the sweet spot (not dumping the task of finding the solution on your IT department).
First, five POPIA steps to take
Get an incident response team together to face risks, such as plan what will happen if there is a data breach. Implement a data protection impact assessment (called a ‘personal information impact assessment’ in POPIA) into your business to prevent new POPIA risks from getting through. Accept and ensure that not everyone in your organisation should have access to all company information. Review your forms to ensure that your wording indicates transparency as to what you will use supplied personal information for, and that there is a legal justification for this purpose under Section 11 of POPIA.
Get clear on consent
Consent comes with a catch when marketing to potential clients. Once 1 July 2020 is here, if you want to do any electronic direct marketing (email, SMS etc.) to new clients or customers (i.e. ones you do not have a pre-existing relationship with), you will have to get their consent to do so before you can send anything. Additionally, if you want to market new products or services to your existing client or customer base, or within your wider company group to your customer base, you may need additional consent to do so. The rule of thumb here is will the potential customer or customer be surprised to hear from you about a certain product or service? If so, then you are doing something wrong and will likely need to get additional consent in that circumstance.
Sort your security
A breach is more common in tough economic times and most businesses will suffer from at least one at some point. Often, to get to the bottom of why a breach happened, you’ll need to go offline and can lose business (the regulator may stop you from operating until the breach is fixed, and suppliers may force you too). That is the true cost – contacting everyone who is implicated and trying to figure out how the breach happened. The reputational damage from a data breach can be the most harmful.
POPIA compliance is in your reach. Don’t panic but do prioritise getting a plan and any needed action into place, as soon as possible. Working with a trusted compliance professional can help you to get this process going as smoothly as possible.