For many, POPIA’s arrival signalled nothing but the coming of massive headaches. It was like they were about to receive pets they never wanted to be stuck with, or, even worse, annoying new neighbours who constantly peer over their fences to make conversation. Some may even say that these anti-POPIA people were going through the five stages of grief – POPIA grief. We’ve come a long way since then, I believe… But let’s talk about what that grief looked like. Hopefully, you’ll be able to take away a few insights from it.
Denial – POPIA’s just another passing hype train
I’ve spoken to many clients who struggled to accept that POPIA would ever materialise into a law with teeth. Some brought up the Consumer Protection Act and how it hasn’t always had the bite that many feared it would have. I remember attending a POPIA workshop in 2014. John Giles ran the workshop. I remember him doing his best to convince the attendees that he wasn’t just another doom prophet trying to profit from painting a bleak legal picture of the future. It is now many years later and I’m happy to report that John was right. POPIA was not just another passing hype train. POPIA denial has been soundly defeated!
Anger – POPIA sucks!
Once the denial receded, it gave way to anger. Many clients were angry. They told me that POPIA was an inconvenience, that they would probably never bother trying to comply.
Bargaining – Please go easy on us, Information Regulator…
When people don’t have a choice, their anger over something usually falls away and they begin bargaining to deal with their new reality.
It was during the bargaining stage that I began receiving calls from clients about getting the Information Regulator to go easy on them.
There were a number of questions that I had to answer. Is there a way to avoid POPIA’s application? What if we don’t have the budget for compliance? Does the regulator make any exceptions? What if we obtain consent from our data subjects? Doesn’t consent mean that we don’t have to comply?
Depression – Running a business is already hard enough
Despite the many questions, I had to tell worried clients that bargaining with the regulator never helps. The regulator has a mandate to enforce POPIA, I said. If an organisation processes personal information recklessly and unlawfully, the regulator has to intervene once they become aware of it. This brought on the depression stage.
The response I got typically centred on how difficult it was to run a business, that having to comply with POPIA would only make things much harder.
Acceptance – You know what, let’s just comply…
Finally, once denial and anger had given way to bargaining and depression, acceptance blossomed.
We don’t want an Enforcement Notice to force us to comply, some said. We’d rather get the ball rolling and tick a few important boxes along the way.
Needless to say, I was always happy when clients eventually got to this point. It made me happy that they trusted us to help them, and, more importantly, were lowering the chances of the regulator ever taking action against them.
One thing I always reminded them about, though, is that they mustn’t just follow a tick-box approach when they are ready to act on their acceptance of POPIA. An outcomes-based approach is always necessary. A tick-box approach just leads to having a whole number of POPIA-related policies and procedures that won’t help the clients achieve helpful outcomes (such as protecting a data subject’s personal information).
