Many organisations are trying to implement POPI. They’re trying to assess the impact of POPIA on their organisation and then analyse the gap. This makes a lot of sense because you need to know the impact and the gap before you find solutions to fill the gaps.

Many organisations are engaging consultants or lawyers to assist with the process

Questions you should be asking

Organisations want to implement POPIA in the most effective manner possible. Many of them are asking themselves these questions:

  • What should I focus on?
  • How can I fast-track my efforts?
  • How do I reduce the overall cost of compliance?
  • How do I ensure that I get value out of the process?
  • What is the best way of doing a gap analysis?
  • What compliance method should I be following?
  • What compliance method best suits my business?

Practical insights to implement POPIA

We have been helping organisations to assess the impact of POPIA on their organisations and conducting gap analysis, and we have gained some practical insights that we think are of value.

As a starting point, we believe in a practical implementation of privacy. This has nothing to do with focusing on the eight privacy principles (aka conditions) exclusively and then implementing them. Interpretation of the principles does not drive the practical implementation of the programme. Of course, you have to understand the principles. However, the main reason for doing so is not to drive your privacy programme, but rather know what the regulatory hot buttons are so that you know what to monitor.

Doing a thorough and comprehensive analysis of a large business is a huge undertaking

A complete analysis takes a lot of time and effort. Its price tag can get high. You want to know you are actually going to get value out of it at the end of the day. You want to be sure that your compliance efforts actually add value.

Just do one activity as part of an initial assessment

Our suggestion is that you do not initially do a comprehensive data protection gap analysis. This may sound crazy coming from a lawyer but bear with me. It is simply not possible to control personal information completely as to do so, would bring the company to its knees.

We suggest that the first thing you do is a relatively high-level analysis. As part of this, you can pick one activity (or process) in your business. Make it a really important one. One that your executives will lose sleep over because it’s so serious to the organisation given its specific circumstances and POPIA will only make that situation worse. Or one that really adds to your bottom line. One that would have a serious financial impact on your organisation if it failed or was unlawful. A high-risk one. For example, it might be applications for new accounts or email marketing campaigns. Or one that would have a reputational impact on your organisation.

Then, map that activity and create a record of it, and then conduct a full analysis of just that single activity. Analyse how POPIA impacts on it and what the gap is. While you’re at it, maybe broaden the scope to include any laws (including POPIA) that relate to that activity. If the activity relates to marketing by way of SMS for example, the applicable law would not only be POPI, but also the CPA, ECT Act and the WASPA Code of Conduct.

You could also look at the business requirements of the activity while you are looking at the regulatory requirements.

Follow your method from start to finish for that one particular activity. Find and implement the solutions (like a privacy policy) that are necessary to plug any gaps.

This work costs much less because its scope is narrower.

The advantages

There are many advantages to doing it this way.

You want to get the recipe right and then make lots of cakes. Not make lots of cakes that flop and then try and fix the recipe.

  • You will be able to fine-tune your method. It will give you a great idea on how to proceed in the future. It is almost like a pilot project.
  • You ensure that you are focusing on the right activity. You are working on an activity (or process) that is really important.
  • You may be able to analyse your other activities (or processes) yourself and thereby reduce the overall cost of doing the complete implementation.
  • You can satisfy yourself that you are working with the right consultants or lawyers who know what they are doing. You can also identify the right consultants or lawyers to implement the required solutions. We don’t do everything and we know who the right people are for different tasks.
  • You don’t have to make a commitment to a huge project upfront.
  • You will implement solutions faster. You don’t want to spend a year doing the analysis of all your activities and then only get round to implementing solutions. You want to be doing the first analysis and implementing solutions quickly.
  • You are able to follow an agile method that lets you quickly check whether your method is suitable for your particular business or not. It also lets you make adjustments as you go.

The steps to analyse one activity

These are the common steps to analyse one activity. However, it is important to be flexible. So, we can agree on the applicable steps on a case-by-case basis according to the activity that you have chosen.

  1. We hold a workshop of two to three hours where you explain your activity to us. We ask questions to get a better understanding and identify where POPIA and other laws will have an impact.
  2. We then draft a report setting out the gaps and recommend solutions.

If you are interested, please send us an email with a description of the activity (or process) you would like to record and analyse, and we will contact you to discuss your requirements further and then provide you with a quote for just that exercise.