Many of our projects begin with a similar story from new clients, ‘We made our first attempt to become POPIA compliant in 2015, but nothing changed. We asked ABC to help us in 2017 and we wrote 1000 policies and sent the whole company on training, but we are no more compliant today than we were in 2015. What are we doing wrong?’
So we ask ourselves, ‘Why do so many POPIA projects fail?’ and ‘What can we do at the beginning of projects to head trouble off at the pass?’.
After a lot of trial and error, this is our answer:
- do an information governance maturity assessment,
- pay attention to the results, and
- pick the right project for your organisation (hint, it might have nothing to do with POPIA).
1. WHY ARE WE TALKING ABOUT INFORMATION GOVERNANCE?
With all the hype around POPIA and data protection, organisations are forgetting that personal information is not the only class of information that is essential for doing business. For many organisations, personal information won’t even be the most valuable information they use. Measured in Rands and cents, their intellectual property may be more valuable.
Here are some other forms of information:
- all intellectual property (trademarks, designs, inventions, trade secrets, know-how, content or publications the organisation created, technical documents)
- information on the organisation’s website
- financial information
- contracts and information about contract negotiations
- strategies and plans
- policies and procedures
- internal memoranda, minutes of meetings and agendas
- research and statistics
- personal information of customers and prospective customers (leads), employees and employment candidates, suppliers and service providers.
According to IG Initiative information governance is ‘the activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs.’
This definition by Gartner IT Glossary is a bit more complicated, but it gives you an idea of the full scope of the discipline: ‘…the specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.’
Information governance is often referred to as a ‘super-discipline’. It includes records management, information security, risk management, compliance management, legal and e-discovery issues, IT governance, data governance, privacy, corporate governance…Here is a great introduction to IG by an information governance legend.
2. WHAT IS AN INFORMATION GOVERNANCE MATURITY ASSESSMENT?
Information governance maturity assessments help organisations to spot areas that are in need of improvement. We also use it to assess whether an organisation is ready for a POPIA project. Here is the one we use. It has been adapted from the ARMA International Information Governance Maturity Model.
3. WHO SHOULD COMPLETE IT?
Resist relying only on your perspective, because information governance is multi-disciplinary. Ask stakeholders across the organisation to complete the information governance maturity assessment. Get perspectives from IT, legal, compliance and risk management, human resources, sales, operations, executive management, information security and records management. The more the merrier!
4. WHAT DO THE RESULTS MEAN?
If it turns out that you are ready for POPIA, our first step is always to draft a POPIA Compliance Framework and to check whether you have the right policies.
If you are not ready, take a deep breath. Doing POPIA just for the sake of doing it by the effective date (which will be whenever), is not a good idea. Firstly, because you probably have bigger things to worry about. Secondly, you will end up frustrating the hell out of your organisation and wasting precious time, resources and money on false starts. Record the results of your information governance maturity assessment and create a strategy to address the deficiencies. By all means, include POPIA in that picture, but make sure that it is in the right place.
Image by rawpixel.com.