Planning properly for POPI
The Protection of Personal Information (POPI) Act is a term that most business owners will know well but may not have truly acknowledged yet. While we wait for it to be enacted by government, it can be easy to forget about some of the important steps needed in the background, to keep up with compliance. This important shift in how personal information is handled mirrors the global narrative to generally be more responsible with what you share, or to become more aware of how far your data may indeed go.
There may be some discomfort in accepting what is to come, but POPI should in fact, be viewed as an opportunity to drive behavioural change within your business. The success of that change relies not only on the risk and compliance teams involved, but also on synergy between senior management, IT, HR and other operational departments, or teams within a business.
POPI compliance may seem daunting now, but businesses should remember that data protection is the right thing to do for clients in terms of good governance and also benefits client and stakeholder relationships.
It should be viewed not so much as; ‘how do I tie this into my governance policy?’ and rather, ‘how do I incorporate protection of personal information into our culture?’. As a collective, drawing on input from everyone within a team, businesses need to evaluate what the business goals are and how the processing of personal information ties into these. A thorough review of the personal information life cycle is required.
Some points for consideration are; how is personal information handled within the business, and what processes and policies can be implemented to ensure that due care is exercised when collecting, storing, sharing as well as destroying it? There must be a dissection of the data to assess its quality, as well as its purpose and safeguards. Furthermore, to satisfy the principle of data subject participation, if clients query the use of information, how quickly and efficiently are they able to receive it?
In brief, is the data accurate, safe-guarded and how is it discarded when no longer required? There should also be an enhanced focus on legacy data, which may prove to be the most problematic and time consuming.
An often overlooked, but very important aspect is the socialisation of POPI within a business. In all likelihood, a breach will occur as the result of human error, due to negligence or a general lack of understanding. To mitigate this, management and training needs to take place, and then be repeated. ‘Correct data, stored in the correct place, for the correct reasons, accessible by the correct people’, is a useful mantra to follow when dealing with personal information.
Failing to follow the rules could lead to costly fines and reputational damage that is even costlier. Can you afford not to be prepared?