Southern Africa cautions against a “wait and see” approach regarding the implementation of the controls necessary to attain POPI (Protection of Personal Information) compliance.
The POPI Act was passed into law at the end of 2013.
Eren Ramdhani, security solution strategist, CA Southern Africa, says that as we approach the end of 2014, POPI should be high on the business agenda.
“An approach of ‘wait and see’ would be a grave mistake as POPI compliance will not be achieved overnight,” says Ramdhani. “Several core business processes and policies will either have to be introduced or overhauled by businesses and the impact of this could be expensive if one gets out of the starting blocks too late.”
“There are crucial issues all organisations should at least commence thinking about if they are to both understand, and achieve, the eight conditions required for POPI compliance, advises Ramdhani.
He says the first step is to appoint a POPI committee that represents all stakeholders including senior finance and audit managers, product owners, risk/compliance officers, customer contact centre managers and information security officers.
“This team needs to collectively conduct an initial gap analysis and further ongoing assessments aimed at identifying exactly: what; where; when and how, crucial data and information relating to customers and employees, is managed in the day to day running of the business. The outcome of these assessments will lead to the formulation of a roadmap and plan that contains strategic objectives with measurable metrics that directly map the statements of the eight conditions of POPI.”
Ramdhani says the roadmap itself is a remediation plan that constitutes a privacy and security governance framework that should take into account current and future initiatives for growth, including cross border information for companies operating outsourcing agreements.
“This roadmap needs to be a comprehensive document that covers all of the foregoing plus marketing and technology – specifically mobility; social media, cloud computing and big data. We are living in the technology world of BYOD so the security complexities that come with the age of mobility, must be factored into any compliance programmes,” says Ramdhani.
“POPI compliance can offer organisations a great opportunity to improve their overall risk management capacity, and if approached as such, it will bring business value in terms of brand protection or customer loyalty, among others”, concludes Ramdhani.