Common and different compliance requirements

//Common and different compliance requirements

Often when a new law (like a data protection law) is enacted all organisations are on the same timeline with the same deadline. They’re all on the same journey of meeting the compliance requirements to lawfully process personal information and protect people from harm. This is a significant task and can feel daunting and overwhelming. But being on the same timeline presents us all with a unique once in a lifetime opportunity.

There is a common compliance requirement

If you look at the things organisations need to do, about half of them are the same (or very similar) across organisations and sectors. The thing with personal information is that all organisations process it. For example, all organisations have employees whose personal information they process. All organisations have suppliers and so on. The outcome of us presenting on the POPI Act to thousands of people from all organisations and sectors is that we have could identify the common compliance requirements. Most of these common compliance requirements do not give one organisation a competitive edge over another.

Why re-invent the wheel?

Would it be a good idea if, during the relevant grace period, each organisation works on their own in order to comply, and ends up having to start from scratch, basically reinventing the wheel each time? For example, imagine a thousand organisations each spending 10 hours to draft an incident response policy for themselves. That adds up to 10 000 hours. 10 hours is not enough time for one organisation to do a great job, and, in the long run, spending 10 hours on a task and not coming out with good results on the other end is not good for any organisation at all.

Doesn’t it make much more sense, then, to work together to achieve the common goal of complying with the law and protecting people from harm? Surely there is a lot of time and money to be saved.

We need to focus on what is common and different

We think the solution is for Michalsons to spend a lot of time (say 100 hours) drafting a truly great template, tool or guide. With time, we can:

  • research other mature data protection jurisdictions,
  • identify the latest best practices,
  • find great ways of doing things through leveraging the years of experience of the members of the Lexing network – people who have been helping organisations comply with data protection laws for up to twenty years, and
  • spend the time it takes to refine, simplify and perfect things. We love doing this.

Each organisation can then customise it for their specific circumstances using their own resources and spending the smallest amount of time possible (say one hour) on what makes their organisation different from the rest. Each organisation will have saved nine hours of time and the outcome will be much better at a lower cost of compliance. Your resources should go towards customising things for your organisation, and not having to start from scratch. They should not have to spend the time to create something from the ground up.

In other words, Michalsons should focus on what is common whilst your resources should focus on your bespoke or unique requirements – the things that make your organisation different.

Take practical effective action by joining our programme

This is why we created the Michalsons Data Protection Compliance Programme – it is a way for lots of organisations across many sectors to take practical effective action to comply with data protection law at the lowest cost. We’re passionate about it because we believe the outcome will be that organisations will protect the personal information of data subjects (for example, our parents, siblings or children) and therefore they’ll be protected from harm. The programme is exclusively for organisations that we think should participate. If you’d like to participate, please apply.

By |2019-06-27T13:55:43+02:00November 29th, 2016|Categories: POPI and Data Protection|Tags: , , |