Once we have a commencement date for POPI (probably 24 May 2017), all organisations will be on the same timeline with the same deadline (probably 24 May 2018). They’ll all be on the same journey of meeting the compliance requirements to lawfully process personal information and protect people from harm. This is a significant task and can feel daunting and overwhelming. But being on the same timeline presents us all with a unique once in a lifetime opportunity.
There is a Common Compliance Requirement
If you look at the things organisations need to do, about half of them are the same (or very similar) across organisations and sectors. The thing with personal information is that all organisations process it. For example, all organisations have employees whose personal information they process. All organisations have suppliers and so on. The outcome of us presenting on POPI to thousands of people from all organisations and sectors is that we have could identify the common compliance requirements. Most of these common compliance requirements do not give one organisation a competitive edge over another.
Why re-invent the wheel?
Now wouldn’t it be crazy if during the POPI grace period each organisation works on their own and does the things they need to do themselves – each one reinventing the wheel. Thinking things through from scratch or drafting documents from scratch. For example, imagine a thousand organisations each spending 10 hours to draft an incident response policy for themselves – that adds up to 10 000 hours. 10 hours is not enough time for one organisation to do a great job. Doesn’t it make much more sense to work together to achieve our common goal of complying with the law and protecting people from harm. Surely there is a lot of time to be saved?
We need to Focus on what is Common and Different
We think the solution is for Michalsons to spend a lot of time (say 100 hours) drafting a truly great template, tool or guide. With time, we can:
- research other mature data protection jurisdictions,
- identify the latest best practices,
- find great ways of doing things through leveraging the years of experience of the members of the Lexing network – people who have been helping organisations comply with data protection laws for up to twenty years, and
- spend the time it takes to refine, simplify and perfect things. We love doing this.
Each organisation can then customise it for their specific circumstances by their own resource spending say one hour on what makes their organisation different. Each organisation will have saved nine hours of time and the outcome will be much better at a lower cost of compliance. Your resources should be customising things for your organisation because they know your organisation. They should not have to spend the time to create something from the ground up.
In other words, Michalsons should focus on what is common whilst your resources should focus on your bespoke or unique requirements – the things that make your organisation different.
Take Practical Effective Action by Joining our Programme
This is why we created the Michalsons POPI Compliance Programme – it is a way for lots of organisations across many sectors to take practical effective action to comply with POPI at the lowest cost. We’re passionate about it because we believe the outcome will be that organisations will protect the personal information of data subjects (for example, our parents, siblings or children) and therefore they’ll be protected from harm. The programme is exclusively for organisations that we think should participate. If you’d like to participate, please apply.