It is useful to draw an analogy between data protection and personal fitness. It will help you work out what your organisation should do to comply with data protection laws. Note that it is data protection that is like personal fitness and not data protection compliance (like GDPR compliance or POPIA compliance).
You want to be fit but it is impossible to be 100% fit. At the beginning, you can do your own fitness test with guidance and using a fitness checklist (or ask your personal trainer to do it for you) to determine the gap between where you currently are and where you need to be – for example with your resting heart rate. You can do one big fitness test at the beginning covering all aspects of your fitness or you can do multiple smaller fitness tests on different aspects of your fitness each month. Or if you know you’re really unfit, you can just get on with it.
To get fit you need:
- to know more about personal fitness and training,
- a workout programme, and
- personal trainers who do what they can for you (like adjusting equipment), help you work out what exercise to do next and keep you motivated.
The personal trainer can’t do the running for you but they can make it as easy as possible for you to do it practically and effectively. You then work out hard for a period of time according to the programme and you get fit. Not 100% but pretty fit. You feel good. Just because you’re not 100% fit doesn’t mean that you’re not healthy.
Once you’re fit, you can then maintain your fitness (without a personal trainer) by doing the odd fitness assessment and revisiting your workout programme. If you want to prove how fit you are, you can participate in a triathlon and win a medal.
You want to protect personal data but it is impossible to protect personal data 100% of the time. At the beginning, you can do your own gap analysis with guidance and a compliance checklist (or ask your subject matter expert to do a gap analysis for you) to determine the gap between where you currently are and where you need to be – for example with your governance structure. You can do one big gap analysis at the beginning covering all aspects or you can do multiple smaller gap analyses each month (for example monthly planning workshops). Or if you know don’t protect personal data, you can just get on with it.
To protect personal data you need:
- to increase your awareness of data protection,
- a data protection programme, and
- subject matter experts and project managers who take the action they can for you (like drafting documents), help you work out what actions people in your organisation need to take next and empower them by giving them knowhow and tools.
The subject matter expert can’t take many of the actions for you but they can make it as easy as possible for you to do it practically and effectively. You then take various actions for a period of time according to the programme and you protect personal data. Not 100% but most of the time. You manage the risks of non-compliance. Just because don’t protect personal data 100% of the time doesn’t mean that you’re not GDPR compliant (or POPIA compliant).
Once you protect personal data most of the time, you can then sustain your protection (without your subject matter expert) by doing the odd privacy impact assessment and revisiting your data protection compliance programme. If you want to prove how well you protect personal data, you can be audited and become GDPR certified (or POPIA certified).
What is going to work best for you?
Like you need to work out what fitness regime works for you, you need to work out what the best option is for your organisation to protect personal data. We’re here to help you to the extent that you need us.
Questions to ask yourself
- Do you need to do a gap analysis?
- If yes, do you want to do the gap analysis yourself with guidance or do you want someone to do it for you?
- Are you going to do a gap analysis following a waterfall methodology (one big one) or in an agile way (lots of small ones)?
- What is the scope of the gap analysis?
- Do you need to increase your awareness or the awareness of others in your organisation?
- Do you need a programme to help maximise your efforts?
- Do you need a team of subject matter experts to help you?
- If yes, do you need to retain them so that they are available when you need them? For how many hours? Or am I happy to just call on them when I need them?
- Do you need to be certified?
If you need guidance as to which of the options is the best one for your organisation, we’ve designed a simple high-level impact assessment questionnaire that will help us identify the course of action best suited to your organisation. This information, combined with a follow-up call with one of our attorneys, at no cost to you, will help us and you understand the potential impact of these laws on your organisation. We can then factor in your budget and the resources available to you. Based on this, we’ll suggest a way forward and provide you with quotes, so that you can make an informed choice. It will take you about 4 minutes to complete.