Tim O’Hanlon is a data protection expert and founder of Tim O’Hanlon Strategic Management Services (TOSMS) with offices in the UK and SA.


I have put together this article to help those responsible for preparing their companies to deal with the imminent data protection legislation being introduced in South Africa – the Protection of Personal Information.  It is equally relevant for those contemplating the changes introduced as a result of the General Data Protection Regulation that has been approved by the EU. Those interested are welcome to request further input by completing the Request Form or making contact with us – our details can be found under Contact Us.

Beware: the devil is in the detail

Knowing just how exposed you are when looking at all your processes, systems and people dealing with records that contain personal information is not as simple as you may think and an approach that is too generic may not be enough to ensure sufficient protection from exposure.

Just ask yourself the question: why are large and reputable companies in the UK who have had the Data Protection Act in place for more than two decades still falling foul of this legislation?  Do not underestimate the rigour required!

Limited exposure to alternatives for solving the problem

A practical and systematic approach is the only way to get to the bottom of what your exposures are.  Then, just as important is having experience with the solutions and various options you have for dealing with these exposures, an area that the majority of companies have little or no exposure to and are guided by limited expertise.

Analysis on spreadsheets

We have been working with companies since 2007 on data protection and have developed essential tools for being able to understand and analyse the magnitude of the problem.

It is not sensible to carry out the analysis of the numerous data elements in a company impacted by the legislation through the use of spreadsheets unless you have a small company with very little processing of personal information.

We have worked with large and medium size companies where the number of data elements captured amount to tens of thousands of inputs.  These cannot be analysed and mapped to create essential risk heatmaps without an automated system.

Target operating models

We also have essential solution insights to guide how far company operating models need to change to deal with the risk.

The mistake a lot of companies make is thinking that an understanding of the gaps caused by the new requirements and going ahead and fixing these gaps is sufficient.

Every time an organisation needs to change due to a new  set of requirements, it becomes more complex.  This introduces greater risk of dysfunction and greater challenges in the management of the people, processes and systems.  The way to mitigate this is to take these requirements and review the company’s operating model at the time you are considering how to resolve the gaps caused by the requirements.  There is a specific set of skills and a methodology required to do this that includes a thorough knowledge of operating models and potential solutions to resolve the gaps.

keep current by reviewing what is possible

For those larger companies who have already embarked on efforts to tackle the legislation, we offer an audit service where a review of what has been done can help minimize future exposure, especially where the level of rigour may be lacking or the nature of the solutions being considered are impractical, over-engineered or allow too much risk to remain after implementation.

Access to further details

If you would like further insights into our tools and methodologies, along with the solutions we offer, our details can be found under Contact Us. Alternatively, complete the Request Form and we will get back to you.