Tim O’Hanlon is a data protection expert. He is the founder of Tim O’Hanlon Strategic Management Services (TOSMS) who have offices in the UK and South Africa.
I have heard a number of clients say they are going to wait until the POPI regulations have been published before starting to implement POPI in their companies. Here are two good reasons why this is not a good idea!
Firstly, POPI is a paradigm shift. It will require a change in the behaviours of staff and third parties processing the personal information your company is accountable for. This change in behaviour will not happen overnight. It will take a lot of training and reinforcement over a prolonged period to get right. This culture shift takes time.
You could argue that the training can only be done once there is clarity about the regulations. This brings me to my second reason for not waiting.
When looking at what section 112 of the POPI Act covers regarding the regulations that the Regulator may publish, to a large extent it deals with the “manner” in which certain requirements in the Act must be complied with. I call it: the HOW.
There’s lots to be done before the POPI regulations are published
In other words, the regulations will not change how to be compliant. The POPI Act already covers WHAT you have to do to be compliant – all the rules, or if you are looking at how TOSMS has unpacked the legislation, the 86 detail requirements.
It is in the 86 detail requirements where the devil is in the detail. It’s paramount you get your data inventory exercises done. Establish where the biggest risks are in your organisation.
Know where your gaps are and identify what you need to do to comply – a significant effort that will take time. Then you can turn to the regulations. When looking at what is covered in section 112, you will see it won’t have a bearing on the majority of your efforts. First get the culture shift of your processing underway. The POPI regulations themselves are not material in specifying HOW the big risk areas that impact most companies should be dealt with.
I rest my case.