Tim O’Hanlon is a data protection expert and founder of Tim O’Hanlon Strategic Management Services (TOSMS) with offices in the UK and SA.
“The problem at the outset with pervasive and paradigm-shifting legislation like DPA and POPI is that companies don’t know what they don’t know.”
The risk with top of the head thinking
I have presented new legislation to management boards and executive teams where senior individuals have proceeded to spell out what the impact of the legislation will be on their companies. Notwithstanding having an expert present on the topic, it has not stopped these individuals presenting views that were groundless and sometimes fundamentally flawed. This is what I call “top of the head” input and is irresponsible for people operating at that level in the organisation. They represent a risk to the teams they are part of but that is a whole separate subject on behavioural exposures within management teams.
The risk of people without the business knowledge
On the other side of the coin, I have personally underestimated the understanding that companies have of what they do in their business. Never mind not knowing the legislation well enough, when you are dealing with clients where the people in the business, tasked to sort out the problem, do not know their own operations sufficiently well, you are on a slippery slope.
These are two examples of an environment that is not conducive for tapping into the collective wisdom of the people engaged in the change efforts to fix the problem for the company, whether it is data protection in the form of the UK Data Protection Act (DPA) or the South African Protection of Personal Information Act (POPI) or any other regulatory change. In both the above examples these issues are easily identified and can be rectified.
A more insidious risk
The more insidious issue is where the people engaged in the change efforts do not know what they don’t know. This is a blind-side that is more difficult to identify and deal with. Where you are dealing with first-time changes for which there are no precedents in the company, you are at risk of this blind-side raising its head. People cannot offer an input because they do not even know that there is an input to give. Unfortunately ignorance is not bliss.
The devil is in the detail
The first time we programme-managed a data protection initiative nearly a decade ago, there were some key learnings because of things we did not factor into our approach at the time. For example, we had to bring in business analysts to unpack the business at the level of granularity required by the legislation because the business had no idea what it was doing with personal information at that level of detail. This increased the costs and extended delivery dates for the project – something we did not anticipate at the time. It seems obvious now but not at the time.
It is all about experience. Too often the criteria for engaging people in solving the problems for the company, whether internal or external, does not take experience into account sufficiently. This can create blind spots that have the potential to undermine the results expected of the regulatory change initiative.
Strategic priorities are critical
Having said this, it is important when tackling regulatory changes that are significant to bear in mind what the company’s broader, strategic objectives are when driving something like the data protection efforts. Let me put this into perspective.
Imagine you have just been shipwrecked on a deserted island with a handful of fellow crew members. You have no belongings, no means of communication and no idea where you are. What is your main objective? …Survival. The actions you take on the basis of that objective are very different to those later on after you have been on the island for months, at which stage your objective is likely to be getting off the island. Your actions at that stage will be very different to those at the beginning.
If a company is on the verge of going into business rescue, putting your best resources into your data protection initiative could be tantamount to shuffling the deckchairs on the Titanic! Unless, of course it is data protection that is the root cause of the problem.
Set objectives and review regularly
This is why clear objectives need to be set up at the outset and reviewed, particularly during the early stages of the regulatory change initiative when you are doing your planning. There are various key milestones at which point these objectives should be confirmed. This should be done at the governing body level in the organisation. A previous post covered the issue of Stratified Systems Theory by Elliot Jacques that deals with the principle of having the right issues dealt with at the right levels in the organisation.
First establish the exact nature of the beast
So for a large new change initiative driven, for example, by the requirements of DPA or POPI, and in the situation where there is significant ignorance about the extent of the legislation and its impact on the company (a typical scenario in South Africa currently where POPI awaits a commencement date for the one year transitional period to begin), there is a need to establish the “exact nature of the beast”, taking into consideration the many variables and pressures at play in such a scenario.
Genuinely, how easy is it to convince a governing body, that knows little, if anything, about the legislation, that you need help from scarce resources in the business to unpack DPA or POPI – resources who, in a worst case scenario, are focused on revenue-generating efforts to keep shareholder value ticking over in a tough economy where cut backs and reduced bonuses are on the cards! IT is a good example here.
So we advocate an incremental on-boarding approach. Getting the governing body behind the regulatory changes is key. So you want to spend as little time and money as necessary doing sufficient analysis to give them a picture that will wake them up to the realities. It is easier in this first step to ask for a budget to do an exploratory exercise taking a month or two rather than a full on analysis that could take half a year.
Get the balance right
Be careful though! You need to find a happy medium. You don’t want to spend too much time doing the analysis that you end up with “analysis-paralysis” and wasting valuable time and money but, in the same breath, you also want to make sure you have done enough to cover all the bases in the company with the rigour required to set up the next stage, which is a more detailed analysis, with sufficient accuracy and a plan that is properly scheduled and costed.
Establish a common framework
I have had a client approach us after the first stage of their data protection project where they compiled a questionnaire of hundreds of questions and spent months of blood, sweat and tears getting the responses back from every department only to wonder what to do with the outputs. Never mind that there was no common framework established at the outset regarding key interpretations of the legislation for their particular operation/industry – more on this in a later post.
Build the case for detailed analysis
You want to do just sufficient analysis to be able to provide the decisions-makers at governing body level with justification for taking the next step in the regulatory change initiative, which is a more detailed analysis. At this point it needs to be clear which businesses are impacted and the nature of these impacts at a high level. For the majority of clients we have dealt with, the outcome of this step invariably means agreeing budgets for more extensive analysis that was not originally factored into their company’s plans.
Start with an impact assessment
Getting the governing body to agree to this further expenditure and resourcing is only possible against a body of knowledge that comes from an Impact Assessment that is not going to take very long to achieve a suitable risk assessment.
We advocate an initial “Client On-boarding” phase where the company gears itself up to do an Impact Assessment. This deals with approval of quotations, appointment of staff, scheduling of workshops, awareness communications, etc.
Then the Impact Assessment. We have found on average this exercise should take no longer than 6 weeks if it has to assess the entire company. It can be done by covering all the major functions in the organisation at sufficient detail using groupings of common functions and in the region of 10 to 15 full-day sessions. Obviously the picture is seriously different if you are dealing with a Fortune 500 company that has 80 legal entities all requiring a similar assessment.
You need a system to help crunch the data
Our TP-RCS Regulatory Compliance Solution has five modules, one of which is ASSESS. For any client where we carry out the assessment, a non-negotiable is use of ASSESS. It has a set of Summary Level Requirements (SLRs) pre-programmed into the application. There are 22 SLRs that cover the entire legislation and each of these has 8 questions that cover issues such as impact, risk, effort required, level of compliance, legal interpretations required, etc. The system generates at, the touch of a button, reports that are crucial to the regulatory change initiative. If you would like a demonstration of this system please complete the Request Form. Alternatively, our contact details can be found under Contact Us.
How are you going to provide the governing body with a view of what they should be losing sleep over with the legislation? If we are talking about DPA/POPI you could be dealing with as many as 22 SLRs multiplied by 8 questions per SLR multiplied by a minimum of 10 business groups covered in the assessment. This equates to potentially over 1,700 data capture points. One of the things you want to be able to show is risk heatmaps for each business area and then for the entire company, plus reports that include all the instances where practical application of the legislation requires legal interpretation – something I will cover in a later post.
Governing body reports
The heatmaps that provide details of the level of compliance, risk and effort for each of the 22 SLRs are used to produce a consolidated report for the governing body. Also included is other input from the 8 questions giving justification for governing body approval to continue with the next step in the planning, namely, a Detailed Analysis. There is also a plan for the next stage of the initiative, showing all the impacted departments scheduled with duration and costs, to cover the Detailed Analysis.
Detailed analysis is the key
To prevent this from being a post that is too lengthy, suffice to say that the Detailed Analysis is the most important step in the planning to be able to put a realistic implementation plan together. It demands the greatest level of understanding about the business and relies on a knowledge of records, and the fields contained within those records that hold personal information. Also, the processes that deal with these records and the systems that enable the processing of these records. It also requires input about the various roles in the organisation dealing with these records and other specific details including special personal information, grounds and purpose for processing, third parties and cross border details.
All of this is included in ASSESS – there are 86 detail level requirements that take the summary level ones and break them down into a greater level of detail. There are also additional questions for each requirement that go into more detail and include which systems, processes and people are impacted and what the work breakdown is for tackling the gaps identified.
Data inventory exercise in preparation
Based on this level of detail required, we have a preparatory step before the Detailed Analysis can be conducted. In this step the client carries out a Data Inventory Exercise to capture the details about records holding personal information and all the associated content used during the Detailed Analysis. Once again, as with the Impact Assessment, this is not something that can be done without help from an application.
Data inventory management system
We have a Data Inventory Management System to assist clients with this step that provides valuable detail not just for the Detailed Analysis but for future records management configuration efforts. I will cover this is a later post about the challenges of this legislation where “The Devil is in the Detail”. We would welcome the opportunity of providing you with more information about this system or to give you a demonstration.
Getting in touch
For those of you tasked with unpacking legislation and determining the impact it will have on your company, not just for data protection but for any major regulatory change initiative, I trust the above concepts and approach will be of help. Please don’t hesitate to get in touch with us should you wish to follow up on any of this content. Contact details can be found under Contact Us or make use of the Request Form.