Why the face?
The Information Regulator asked the President to announce 1 April 2020 as the commencement date for the Protection of Personal Information Act (POPIA).
1 April is also an auspicious date widely known as April Fools Day. It is lesser known as Sourdough Bread Day. On 1 April 1999 the Euro was adopted as a common currency in the European Union. Hillary Clinton compared herself to Rocky on this day in 2008, and last but not least, 1 April is the start of a new financial year for the South African Government.
As expected, the Regulator’s announcement caused collective panic amongst compliance officers. Inboxes everywhere were suddenly flooded with unsolicited advice and invitations to POPI Essentials workshops.
But who should panic, and who should calm the fuck down?
Who should panic a little?
You can panic a little if:
- you compile and sell large databases
- your service targets children, especially if there is health information involved
- you are part of a group of companies that share databases
- you use information in unexpected, potentially irritating ways (think unsolicited direct marketing)
If this is you, you should be kicking-off your POPIA compliance efforts yesterday.
The rest of you can take the scenic route.
What to do next
Take a step back
- Stop to think about whether POPIA compliance is really something you should be worried about. If you do enterprise risk management, POPIA compliance will have been on your compliance risk register for a while. Does the announcement of the effective date affect your risk rating? Probably.
- Re-assess the risk as if you must be POPIA compliant by 31 March 2021 and see how this change affects your risk register. Before you start launching campaigns, unplugging printers, and buying shredders, make sure that POPIA compliance is where you should be spending your money. Do some research to understand how and why your business uses personal information. Consider how an investment in data protection could benefit your business. Will it give you a competitive advantage? Make your organisation more agile? Will it make you more attractive to investors?
Do some homework
Once you’re sure that you should be spending time and money on POPIA compliance, we recommend that you:
- Determine your privacy values. For example, do you take a zero tolerance approach to compliance, or do you focus on ethical business practices?
- Assess your information governance maturity. If you score below three, your business is not ready for a POPIA compliance programme and you should work on your overall information management first.
- Understand your high-level inherent risks by identifying the areas in your business where you must focus first. Then determine which risks you are willing to take, and which you will need to mitigate.
- Draft a POPIA compliance framework. Take your time with this step; it is the most important one. When you put a compliance strategy on paper it forces you to consider who to involve and if and when you need outside help.
- Tackle your polices. Although POPIA is about a lot more than information security, a data breach will have the most dramatic impact on your business. If we were you, we’d review and update your information security management policies and processes first.
Here is what you need:
- an incident response policy and procedure;
- an incident response team (external information security specialists, forensic auditors, etc.);
- disaster recovery plans (cyber resilience and fault-tolerant systems and processes);
- disaster communication specialists on hand (this is a specialist field – many marketers suck at it); and
- an attorney to help you with your notification to the Regulator and to preserve evidence that is subject to attorney client privilege.
- test your procedure and incident response team and test both again and
- train your employees, and then train them again.
Need a little more than a blog to get you started? Call us, or come and listen to Elizabeth explain it all at the POPIA skills series.