The complexity of implementing a successful Protection of Personal Information (PoPI) Act project requires a diverse team with a strong skillset.
Anelda Dillon, from Bizmod Consulting says that the project manager is an integral component of a PoPI project. The multifaceted aspects mean that a strong leader is required to pull the project together while managing the different streams and work packages.
Dillon uses the analogy of a conductor in an orchestra when describing the role of the project manager. This individual needs to be cross skilled and understand the various elements of project management, business analysis, change management, implementation, and training.
It is the responsibility of the project manager to create the vision for the project and then to connect all the dots and manage the entire process, including detailed planning, overall project deliverable management (across the various different work packages), mitigating risks upfront and dealing with pertinent issues.
Dillon identifies five lessons that project managers should keep in mind when implementing a PoPI project:
* Business ownership – it is the responsibility of the project manager, in conjunction with the project sponsor to pass ownership of the project on to the business. The longer this isn’t done the longer the business will refrain from owning the elements. Ideally this should take place right from the beginning of the project.
* Create a simple picture that articulates the project to all stakeholders – PoPI programmes are complex in nature with multi-layered elements and it is the role of the project manager to be able to convey a clear breakdown of the project to the business. Efficient ways of conveying this message is through the use of various infographics, diagrams, roadmaps, models and even considering a “Journey to Compliance booklet.”
* Governance requirements – PoPI is a compliance project and as such all required governance elements need to be put in place as early in the project as possible.
* Be realistic with deadlines and understand the impact behavioural change plays on successful implementation. You may need to even plan for implementation to take much longer than originally anticipated, based on the culture, and change adaptability and maturity of the organisation. It is necessary to understand that due to the complexity of the solutions and the close integration to the behavioral aspect, implementation and reinforcement would be required. One training session will not suffice – continuous interventions will be required to move from awareness to reinforcement to embed an information privacy culture.
* Most importantly the project manager needs to surround themselves with the right team members. A specific and wide skillset is required for a PoPI project – individuals with a thorough understanding of compliance and the PoPI Act. Individuals with strong analytical skills and sound knowledge of information security controls impacting privacy. Change solution implementation driven individuals that grasp the detailed work required to guide individuals through the behavioural change required to embed an information privacy driven organisation.
Lastly, Dillon says that the project manager should be robust, and solution focused, working diligently through each phase of this multi-faceted project.