Ten tips to POPIA compliance

0
54
James George from Compli-Serve SA and Elizabeth de Stadler from Novation Consulting

The time for Protection of Personal Information Act (POPIA) compliance is edging closer (30 June 2021). Here are ten top tips to be ready, no matter what.

Motivate your manpower

Getting buy in from stakeholders and staff will accelerate the success of your POPIA compliance plans. This is a crucial first step. Find interest and value for them to pique their enthusiasm. Administrative people might be keen to save on admin time, as an example. People are not lazy; they just prefer to prioritise to get to the end of the workday.

You might get more pushback if there is less control in the changes needed. If buy in can also mean having a hand in determining the changes, it could be easier. People who suffer from car sickness often don’t feel symptoms if they are the ones driving, able to anticipate the turns.

Be a bit of a MacGyver

It’s better to look at existing structures and insert POPIA compliance within that. If you aren’t doing any governance whatsoever, or maybe just complying with FAIS, POPIA is not your biggest problem. Use the compliance processes you have and edit them accordingly to fit into POPIA requirements too.

It’s useful to check if any POPIA groundwork has been done already in some departments. You can also ensure you understand how everyone will be impacted and ask how you can help them to transition.

Analyse haves versus needs

Analysing gaps as a step can mean you just have gaps (such as conducting a gap analysis). When the POPIA strikes the fan, you’re facing risks ranging from operational to financial, including business continuity. HR risks increase, as do litigation risks and so your reputational risks rise. You can’t afford to only have a gap analysis. Plug the holes as you go, ASAP.

Just calm down

Our brains release cortisol when we are stressed, and when our flight or fight mechanism kicks in, there is said to be a 20-point drop in our IQ points. In other words, if you panic, your judgement is likely to be off. A calm approach is best.

Know your blind spots

Procrastination centres around the fear of failure or a fear of what to do (where do I start? What if I do it wrong?). Don’t get caught out – every business has a blind spot. You just need to learn some things and you will be okay. Do your homework, such as checking in with an independent compliance officer for guidance.

Tough Tech(ies) – it’s all Geek to me

Understanding how information security management works and fits together will empower you. Don’t let limited knowledge on tech dissuade you. Ask questions. Take your head out of the sand.

Embrace POPIA as a team sport

Everyone is responsible in this collaborative journey but realise just that – it’s a journey that will take time. Don’t address everything and all departments at once. Make a plan to manage this merge over several months. POPIA shouldn’t be an IT problem exclusively either. They can’t take responsibility for the box of files that could be stolen from your boot…

E-mailing a policy doesn’t count as implementation

You need more than a group send. You need to change the process. Assess who needs which training. There is no such thing as POPIA general awareness training – you need skills development, relevant to each department or organisation.

Never copy and paste: tailor-make

Borrowing wording from someone else’s POPIA plan can be the poorest plan of all. You can’t just copy and paste – you need to have a plan centred around the correct risk assessment, bespoke to your business.

Know when to leave it alone

Implementing even just one or two new processes, within an existing framework could be overwhelming, so go slow but most importantly, just go! Don’t overwhelm your business by trying too much at once.

A bonus

POPIA compliance and sound governance add value to your business. An incident plan also saves money on protection and enhances your organisation’s cybersecurity.

The year ahead will hopefully be better than the last, but be kind to yourself and your business, and take a measured approach. POPIA compliance is a big task but tackling the steps one at a time will get you to where you need to go.