Designed to protect consumers’ personal information from misuse, and ultimately help companies deliver better brand experience, the POPI Act, aka POPIA, will soon come into practice in South Africa.
Lecio De Paula, director of data privacy at KnowBe4, has unpacked three priorities for companies to focus on right now.
N.B: POPIA was meant to come into effect April 1, 2020 in South Africa but the date was pushed out again due to the coronavirus crisis.
1. Identify privacy risk
By this point, you already know that POPIA is applicable to your organisation, so now you need to figure out what exactly you need to do to comply.
This means knowing exactly where you stand in comparison to POPIA’s requirements by conducting a business privacy impact assessment.
As such, you’ll need to identify privacy risks in your organisation (aka noncompliance), and come up with a plan to either remediate or accept them.
The assessment should consist of a broad series of questions about your organisation as a whole, as well as questions that speaks to specific processes and departments.
Business privacy impact assessments are the lifeblood of a privacy program, and are essentially an audit you conduct against controls that your organisation has in place to comply. These should be conducted on a periodic basis.
2. Mechanisms required for compliance
Once the privacy impact assessment has been conducted, it’s time to focus on the more pressing issues you have chosen to remediate.
Depending on the type of organisation you’re in, different processes may have different priorities. If you’re a SaaS tech company, you may begin by first focusing on what you need to do to ensure your services are in compliance with the law (compliant data retention, privacy policies, consent mechanisms, etc.).
The key is to tailor your approach and tackle each issue with a risk-based approach. High-risk processes should always come first. A good approach to take is to start with client/customer personal data processes and work your way towards employee personal data.
This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement. Privacy is there to provide trust to your employees and customers.
3. Robust data control system
Lastly, create a system to effectively monitor the controls you put into place. What’s difficult about privacy is that everything is constantly evolving, and it will always keep you on your toes.
Given that most organisations do not have a robust team of privacy professionals and it’s usually limited to a few individuals, automation in this regard becomes paramount. The aim is to ensure you have a robust privacy program with limited resources.
Leveraging a governance, risk and compliance (GRC) tool to help you conduct assessments, map controls and data flows will be extremely beneficial in the long run.
If your organisation does not have to budget for one, using a cloud drive folder (albeit a little more tedious) will still work in this regard. You can use this to set up your templates and upload your compliance documentation for ease of access.
In more simplified terms, organisations should audit every location they store personal data on, see what controls are in place to protect this data (technical controls, establishing the legal basis for processing, CIA triad), and document those controls or the controls that are being put in place.
Conclusion
There are various other obligations of course, but initially it’s all about understanding how, where and why your organisation stores personal data.
Without answering these few questions, you will not be able to comply with other aspects of the POPI Act, because as the name suggests, it’s all about protecting personal data. And if you don’t know where it’s stored, how you process it and why you store it, it will be impossible to protect.
*For the latest brand focused South African news and updates, make sure to visit NOWinSA daily
