The commencement date of the Protection of Personal information Act 4 (POPIA) of 2013 is expected to be announced during the course of 2017, following which organisations will have 12 months to become POPI compliant or “regulator ready”.
Samantha Buchler, manager for governance, risk and regulatory: risk advisory Africa at Deloitte, takes a look at what this will entail for companies.
Is it possible to become POPIA compliant or “regulator ready” in a year?
The first step that all organisations need to take in order to achieve their POPIA compliance objectives is to design a one- to three-year privacy or POPIA compliance implementation plan.
There are also numerous efficient and cost-effective “quick wins” which organisations could initiate and implement to commence their journey to being “regulator ready”. These quick wins should ideally be initiated within an organisation’s high-risk areas as far as personal information is concerned.
Some of the steps that organisations can start taking towards the transition of being “regulator ready” are:
* Privacy training and awareness: Organisations need to consider whether management and personnel understand the framework and environment within which the organisation operates, as far as personal information is concerned. It is imperative that the need for POPIA is understood internally, as this will assist in the smooth transition.
* Deployment of a governance and data privacy target operating model for sustainable data privacy compliance: A data privacy target operating model provides an overview of the proposed impact of data privacy on the internal structure, roles, responsibilities and management of an organisation and its business areas. There is no standard operating model for data privacy compliance purposes and organisations need to look at factors such as their footprint and structure to determine the model that would be best suited.
* Incident management plan to be developed and in place: A privacy incident management plan allows the organisation to be more proactive and less reactive in effectively dealing with any incidents involving the loss, damage or unauthorised access to the organisation’s data, including personal information. Important considerations such as whether the organisation is at risk of losing any of its customers’, employees’ or other stakeholders’ financial, medical and other personal information are to be top of mind, and adequate preparation for such an incident with pre-defined steps and checkpoints are to be in place.
* Personal information inventory: This is a consolidated document which indicates what personal information is collected, used and stored within an organisation. Having a personal information inventory in place will assist an organisation in addressing the previously mentioned pain points.