Many organisations are trying to assess the impact of POPI on their business. This makes a lot of sense, because you need to assess where you are before you can find the gaps. You can only then find solutions to fill those gaps. The results of the assessment assist organisations to determine how to implement POPI in their organisation.
Many organisations are engaging consultants or lawyers to assist with the process
Questions you should be asking
Organisations want to implement POPI in the most effective manner possible. Many of them are asking themselves these questions:
- What should I focus on?
- How can I fast-track my efforts?
- How do I reduce the overall cost of compliance?
- How do I ensure that I get value out of the assessment?
- What is the best way of doing the assessment?
- What compliance method should I be following?
- What compliance method best suits my business?
The fact that POPI has not yet been enacted makes things even harder. We don’t yet know what the law is that is going to have an impact on your business. POPI is also principle-based legislation. So, even once it is enacted it may be hard to determine the exact impact on your business until a court or the regulator has made a ruling on its application.
We have been helping organisations to assess the impact of POPI and we have gained some practical insights that we think are of value.
As a starting point, we believe in a practical implementation of privacy. This has nothing to do with focusing on the eight privacy principles exclusively and then implementing them. Interpretation of the principles does not drive the practical implementation of the project. Of course, you have to understand the principles. However, the main reason for doing so is not to drive your privacy project, but rather know what the regulatory hot buttons are so that you know what to monitor.
Doing a thorough and comprehensive assessment of a large business is a huge undertaking
A complete assessment takes a lot of time and effort. It’s pricetag can get high. You want to know you are actually going to get value out of it at the end of the day. You want to be sure that your compliance efforts actually add to the bottom line of the business.
Just do one activity as part of an initial assessment
Our suggestion is that you do not initially do a comprehensive Privacy Impact Assessment. This may sound crazy coming from a lawyer, but bear with me. It is simply not possible to control personal information completely as to do so, would bring the company to its knees.
We suggest that the first thing you do is a relatively high-level assessment. As part of this you can pick one activity (or process) in your business. Make it a really important one. One that your executives will loose sleep over because its so serious to the company given its specific circumstances and POPI will only make that situation worse. Or one that really adds to your bottom line. One that would have a serious financial impact on your business if it failed or was unlawful. A high-risk one. For example, it might be applications for new accounts or email marketing campaigns. Or one that would have a reputational impact on your business. For example, where you are dependent on your staff doing the right thing, such as telling you when a laptop or memory stick containing sensitive information has been misplaced or stolen or fallen into the wrong hands. If the information is ‘personal information’ the company is required to inform the regulator!
Then, conduct a full impact analysis on just that single activity. Analyse how POPI impacts on it. While you’re at it, maybe broaden the scope to include any laws (including POPI) that relate to that activity. If the activity relates to marketing by way of SMS for example, the applicable law would not only be POPI, but also the CPA, ECT Act and the WASPA Code of Conduct.
You could also look at the business requirements of the activity while you are looking at the regulatory requirements.
This work costs much less because its scope is narrower.
There are many advantages to doing it this way.
You want to get the recipe right and then make lots of cakes. Not make lots of cakes that flop and then try and fix the recipe.
- You will be able to fine-tune your method. It will give you a great idea on how to proceed in the future. It is almost like a pilot project.
- You ensure that you are focusing on the right activity. You are working on an activity (or process) that is really important.
- You may be able to analyse your other activities (or processes) yourself and thereby reduce the overall cost of doing the complete implementation.
- You can satisfy yourself that you are working with the right consultants or lawyers who know what they are doing. You can also identify the right consultants or lawyers to implement the required solutions. We don’t do everything and we know who the right people are for different tasks.
- You don’t have to make a commitment to a huge project upfront.
- You will implement solutions faster. You don’t want to spend a year doing the analysis of all your activities and then only get round to implementing solutions. You want to be doing the first analysis and implementing solutions quickly.
- You are able to follow an agile method that lets you quickly check whether your method is suitable for your particular business or not. It also lets you make adjustments as you go.
The steps to analyse one activity
These are the common steps to analyse one activity. However, it is important to be flexible. So, we can agree on the applicable steps on a case-by-case basis according to activity that you have chosen.
- We hold a workshop of two to three hours where you explain your activity to us. We ask questions to get a better understanding and identify where POPI and other laws will have an impact.
- We then draft a report setting out the gaps and the solutions that we recommend.
Often it is difficult to provide a quote for the report before the workshop. We generally prefer to give you a quote for the workshop and then another quote for the report after that.
If you are interested, please send us an email with a description of the activity or process you would like to assess and we will contact you to discuss your requirements further and then provide you with a quote for just that exercise.