For example the Protection of Personal Information Bill (POPI) requires that you allow your customers to view and change their personal information. While it is possible to use paper forms to manage these requests and the updating of information this is not a very efficient way of dealing with the legal requirement. Instead it would be possible to allow for an online website which would allow your customers to view the information you hold about them and correct it, while at the same time:
- Giving you better information to use for marketing;
- Allowing you to market your products and services at the same time;
- Allowing them to give you permission to use their personal information for other reasons;
- Allowing them to refer new clients to you.
Returning to the four angles, we approach Information Governance from the perspective of:
- Legal requirements;
- Technical (IT) requirements;
- ISO standard security compliance; and
- Change management.
Obviously some organisations have sufficient in-house capacity to provide the solution for some of these aspects, but we consider it best practice to have all these skills on board when embarking on something as significant as revamping your Information Governance structure.Taking a look at each of the four in turn we see that:
1) The legal requirements obviously exist as a result of the new Protection of Personal Information Bill (POPI). However this Bill has been drafted with the EU Data Privacy directive in mind and is intended to harmonise our legislation with the international community which will make us a “safe” place to send personal information. This is a business opportunity.
2) Most data today is stored on computers (specifically on hard drives). Knowing where this information is and how it is used is a crucial first step towards managing your organisation’s internal and external information. While you hopefully trust your IT technician there is little that he/she can do to comply with laws they have never heard about and security protocols that are new to them. Even worse, unless you have the same skills as they do, how do you really know they are doing a good job?
3) Not all data is electronic. A significant amount of it is still stored on paper or exists on paper even if it is captured electronically. An organisation’s data is only as strong as it’s worst security flaw which means that if you only concentrate on your IT compliance you are almost certainly forgetting other security vulnerabilities. We assist organisations to assess their security based on the ISO 27001 standard of security. While you don’t necessarily have to become ISO certified, the ISO standard is a good international benchmark that can give you an objective view of where you stand.
4) Even if you spend obscene amounts of money on upgrading your Information Governance structure and processes, it won’t matter if your staff refuse to buy in to the process. Getting a change management professional on board greatly reduces the possibility that the project will become a white elephant as the change management consultant’s job is to assess the organisation’s readiness and willingness to implement the new processes and to help them see the value in this – not just from a legal compliance perspective but also from the perspective of making their jobs easier.
Obviously revamping the way you deal with information can be a bit daunting. In order to help with this we start with an initial information audit which is designed to uncover where your information is and what you are currently doing with it. Many client’s consider this to be obvious, and yet when the results of the audit are discovered we have never had a time when some part of the results was not surprising to management.
Contact us for more information about our initial audit and our approach to information governance.