Dear information officers, happy 2023! We know you have a lot on your plate with POPIA and PAIA. But don’t worry—we have your back. Here are 5 doable resolutions to help you stay on top of your game this year.

1. Realign with your organisation’s compliance strategy

It’s normal to feel anxious about where to start planning for 2023. But there’s a simple solution.

Turn to your compliance policy.

Your organisation’s compliance policy sets out its strategy to comply with the laws that apply to it. For example, it may say: “We take compliance seriously. Our approach is to do what is reasonably necessary to comply with the laws that apply to us.” This statement tells you your organisation’s general approach to compliance. It strikes a middle ground between minimum compliance on the one end of the continuum and absolute compliance on the other.

More specifically, the laws in the compliance policy usually include data protection (POPIA) and access to information (PAIA) laws. And, if your compliance journey is more mature, you can generally find more details about POPIA compliance in your data protection policy and PAIA compliance in your PAIA manual.

2. Reflect on what you’ve already done

You have a compliance programme

If you’ve been the information officer for some time, you’ll probably have created a compliance programme to help your organisation comply with POPIA and PAIA. The result is that you have a track record which you can review.

How? From a data protection perspective, the IAPP recommends you develop a questionnaire or checklist to help identify where you need to update the programme. The review needs to address the following:

  • significant changes in data flows;
  • the geographical footprint of your organisation;
  • technology transformations;
  • size, either from an employee number or revenue standpoint; and
  • other issues that significantly impact the privacy or access to information profile of your organisation.

If the review interests you, reach out to us for data protection or access to information health checks.

You don’t have a compliance programme

If not, that’s also okay. To put a programme in place, start by filling in our impact assessment, and then we’ll reveal your custom options.

3. Design your 2023

If you follow steps 1 and 2, you should know where your organisation is headed and what you’ve already done. Next is to design what your 2023 will look like to move your organisation closer to its compliance vision.

The question you should ask yourself is, “How can I move my organisation towards its POPIA and PAIA goals?”.

The one-pager overview

The idea here is to have a high-level overview of 2023. Essentially, you’d create a calendar for 2023 in a document and allocate projects for each month. For example, “February 2023 will deal with POPIA awareness training for the HR team”.

Involving a project manager

Compliance is a journey, not a destination. And this often means you need support to keep your ongoing projects (that form part of your programme) running. We don’t recommend you manage these projects yourself. Instead, we suggest you rely on your organisation’s project managers to assist you in setting up training sessions, managing communications with personnel, and facilitating interventions.

4. Be lazy

Your attention is valuable. It’s challenging to keep up with the demands of your job and conduct research on the various areas of the law. So, why not funnel the resources your way? It’s about working smartly, not hard.

  1. Subscribe to newsletters. We have a personalised newsletter that brings the latest POPIA and PAIA news, tips, best practices, and case law straight into your inbox.
  2. Set search engine alerts. You can make your search engine work for you by setting up alerts for keywords like “POPIA”, “information officer”, and “information regulator”. So, you hardly ever need to spend time searching for the latest updates. Instead, the alerts will simply filter into your inbox. Here’s a quick tutorial on setting up Google Search Alerts.
  3. Ask for help. If you feel overwhelmed and are struggling to get started, feel free to reach out to our team to coach you through setting up a programme and projects.

5. Implement compliance by design

Instead of chasing your team to think about data protection and access to information, how about equipping them with the skills to alert you to any projects they’re working on that may impact these compliance areas? For instance, to comply with POPIA, you can train your teams on privacy by design. Privacy by design empowers your teams to identify the privacy risks of projects before they start, flag them, and then get you involved to ensure they’re doing their project lawfully.

End thought

Being an information officer is not easy, but with the proper support, tact, and a risk-based mindset, you can help your organisation realise its compliance vision.