Every organisation should have a compliance strategy for complying with laws that apply to them. (for example the POPI Act or the GDPR). King says that the governing body should provide strategic direction on compliance. It should be unique and specific to your business and meet your business’ requirements. There is no one-size-fits-all approach when it comes to a compliance strategy. These are some of the compliance strategies we have encountered amongst some of our clients:
- Absolute compliance
- Minimum compliance
- Do what is reasonably practicable
- Least money for the biggest impact
- Keep the CEO out of jail
- No official strategy
We are not advocating anyone in this article. We are simply sharing with you what we have observed. Once your governing body has set the direction or strategy for compliance, it should be recorded in a compliance policy.
When clients say they want “absolute compliance” with laws, it is important for us to understand exactly what they mean. Do they follow a:
- compliance with law approach?
- risk-based approach?
- best practice approach? or
- a combination of the three.
It can be argued that there is no such thing as “absolute compliance”. For example, it will be very difficult for larger companies to avoid privacy breaches (many companies lose several laptops a year as cars are hijacked, houses broken into etc). When considering this approach, there is an obligation to comply with the legislative requirements of the POPI Act, but also:
- for the company to comply with the Information Regulator’s rulings, and
- for its operational staff responsible for the POPI Act to comply with what is expected of them – for example, to make the necessary product disclosures required by the POPI Act.
It is also important that “compliance” take place on a daily basis.
If such a state is achievable, it is still necessary to understand the legislative requirements and the impact of the relevant law on your business. This in turn requires:
- that you know what is happening within your organisation, and
- that you have the expertise to deliver “minimum compliance”.
Do what is reasonably practicable
You only do what is reasonably practicable to comply.
Least money for the biggest impact
If this approach is possible, it is still necessary here for you to know “the big picture”: to know what your definition of “compliance” is and know what you would have to comply within the ideal compliance scenario. Only then might you be able to work out what you need to address at a minimum.
Keep the CEO out of jail
Many see this as a pragmatic “fly under the radar approach” taking into account things like:
- the offences and penalties,
- when the Information Regulator will be in a position to start issuing rulings (in many foreign jurisdictions it took the Regulator several years to ‘have teeth’) and
- your understanding of the ‘big picture’.
You need to assess this approach, like all the others, carefully.
What is your Compliance Strategy?
If you don’t have one, we can help.