It’s week 5 000 of the national lockdown, so we reckon everyone will appreciate a change of focus (since we can’t change the scenery). From what we can tell, most people’s pace during lockdown is either crazy-busy or bored-to-tears. So, for those of you leaning towards the bored spectrum, here are seven things you can do to kickstart your POPIA compliance project – even during a worldwide pandemic.
1. Assemble a project team
Identify the following members (at least) to form part of the team:
- Executive sponsor: This person will authorise the project and control the budget.
- Business lead: This person will be responsible for the day-today management of the project. (This is you, right?)
- Risk, compliance and legal: You will need someone from each of these areas to provide advice. Wondering why? Take a look at this blog about the interdisciplinary approach you need to hack data protection.
- IT lead: This is a key stakeholder because they are often responsible for information security management.
2. Do an information governance (IG) maturity assessment
Ask everyone on the project team, and maybe a few other senior managers, to complete an IG maturity assessment. If you rate below three, you need to focus on other areas of your business before you can move on to POPIA compliance. Here is a blog on how to interpret the results.
3. Work out a high-level project plan
We usually start POPIA compliance projects with the following steps:
- Determine the aim of the compliance project.
- Identify the high-level POPIA compliance risks.
- Agree on priorities for the project.
- Agree on your risk appetite.
- Define roles and responsibilities.
- Draft a POPIA Compliance Framework.
4. Work out a budget
Once you have an idea of what needs to happen and who will be on the team, you can get a sense of how much outside help you’ll need to get the ball rolling. Ask a few service providers for quotes. The lockdown is the perfect time to have these conversations.
5. Do a preliminary investigation
Set up some time with senior managers and get a sense of where and how your organisation uses personal information. You can start by asking these questions:
- What customer information do you collect?
- How do you collect it?
- Where is it stored?
- What employee information do you have and where do you store it?
- What services providers do you use that have access to your customer or employee information?
- Do you do direct marketing? How?
- Do you sell datasets that contain personal information?
6. Review your current policies
Get copies of all your information governance and information security management policies and review them. Do they include anything relating to the protection of personal information? If not, add time for policy development to your project plan. You should include the list of the additional policies to develop and the current policies that need an update in your POPIA Compliance Framework.
7. Draft your POPIA Compliance Framework
The framework should:
- Define the aim and principles of your POPIA compliance programme.
- Identify the roles and responsibilities within the programme.
- Include a policy development and alignment plan.
- Set out a policy implementation plan.
- Describe your approach to risk assessments.
- Describe your approach to compliance monitoring.
8. Last, but not least
Stay safe and healthy! Don’t start your POPIA compliance project now just for the sake of being productive during lockdown. It’s okay if POPIA is not your first priority at the moment – put on your own oxygen mask first.
Image by rawpixel.com.