After eight years the PoPIA deadline is looming, and 1 July 2021 is fast approaching for many organisations.
Annemarie Pretorius, MD at Bizmod Consulting, says that over the past year PoPIA has hit the headlines with more frequency than before and as a result an increase in anxiety around implementation deadlines and the full extent of the regulators powers.
However, many organisations seem to be missing the key purpose of PoPIA, which is that this is not an act to comply with grudgingly, it is rather a tool to springboard a company to a customer centric digital aligned organisation that management should be embracing.
Pretorius says that this Act is important, and companies need to comply because by not complying companies erode customer bases, vastly underestimate data as an asset, and remain vulnerable to inside and external parties with malicious intent.
Once acceptance has been gained to leverage the requirements of the Act in achieving key future facing business requirements, the next phase is to accept and explore the following:
* Privacy just like information security, is a key part of the support services of companies. It will remain an ongoing requirement just like the Human Resources and Operations departments are. Therefore, privacy should be leveraged adding as much value to the organisation and enhancing processes, refining information quality, and elevating strategic decisions regarding IT, IS, customers and culture. In short, it’s a new job, and its staying – companies need to sweat the investment.
* Management needs to view privacy not as a static binary state, for example rather than privacy compliant or not, view this on a maturity continuum. Viewing privacy across the different dimensions that continually grow and mature (or regress) in privacy maturity and as demands from regulators or data subjects change over time.
* To deliver on the underpinning requirements of a privacy maturing organisation there are two key requirements that also have their own maturity journey: information security – company cannot have privacy without security, information security maturity is a key dependency for privacy maturity; and records management – controlling records throughout the lifecycle – from the moment of creation to archiving and deletion. It seems that information security has started to receive a lot more focus and budget over the last five years, with records management still lagging from a focus and budget allocation. Companies need to be budgeting for both key disciplines.
* Many companies are not large enough to justify the expenditure of a full-blown privacy department, although the requirement for compliance is exactly the same for a micro-organisation as it is for a JSE listed company. The principles and strategic intent discussed in the above sections can still be weaved and applied as far as possible, but potentially outsourcing on a retainer basis the significant ongoing administrative, analysis and interpretation work to a knowledgeable company that provides this service may help to keep the cost of compliance down.
* Finally, as with any large, and perhaps scary change the simplest solution is to just start doing something, today, and then continue planning and executing. By weaving this into your strategy it will help the company achieve long term sustainability.
For many the anxiety of complying with PoPIA has led to questions about what is next, when are we done, and occasionally either a despairing we started too late, or a fatalistic we will take the risk and be fined. Pretorius says, “PoPIA may not be the medicine companies want, but it is the medicine they need to remain operational, relevant and competitive.”