Further POPI Compliance Implementation
This article covers additional questions to answer for the governing body to further POPI Compliance Implementation, one of the first aspects of governance a company should address to ensure a sustainable outcome. It follows on from a previous article.
- Where will the company fundamentally need to change the way they do business because of requirements to be complied with in POPI?
A client that TOSMS worked with in 2013 used list brokers for marketing and this was the cornerstone of their business. It became quickly apparent that most of these list brokers would not be able to provide the same volume of leads post-POPI. This could have been a deal-breaker for this company had they not been given this input as part of the board feedback and done something fundamental about changing their operating model.
- How will a company integrate the changes into their operating model?
Companies in our experience have legacy aspects to their business that may have to comply with POPI that they do not want to touch. Then there is a great deal of new business being developed which the company would need to consider making compliant prematurely or before the announcement of the commencement date, so that they avoid doing future rework. Finally, companies have a lot of business that falls into the category that TOSMS calls the “status quo” or “standard operation” that will need to be managed very carefully, so as not to disrupt the essential revenue-generating side of the business.
Short term pain for long term gain
- Are there any situations where the company may need to endure some short term pain for long term gain?
Typically, what is being referred to here are things like the appointment of the Information Officer at the start of the project. They should be intimately involved in the assessment of gaps and development of solutions and should get to know exactly what the company does with its personal information, something no-one in the company understands well enough at the outset!! It is critical not to wait until the last minute on this issue, as a company may then find all their knowledgeable staff have been snapped up and may have to make do with second best in a regulatory risk space that is complex and needs experienced people to manage the Personal Information risk.
Business opportunities as a result of POPI
- What business opportunities are there for the company in complying with POPI?
Data about a company’s clients is an asset that now has to be managed at a granular level. In needing to get closer to this data there may be opportunities. For example, by embracing the rules around disclosures and consent a company may find ways to achieve a far bigger spend of wallet from each client that might otherwise not have been the case before.