POPI Compliance Framework
Another aspect of governance we at TOSMS suggest a company should address to ensure a sustainable POPI outcome, is to implement a POPI Compliance Framework. This article forms part of a series of POPI Governance articles that starts here.
Although not explicitly stated in the Act as a requirement, it does state that the responsible party must ensure that all the conditions for lawful processing of personal information are complied with.
Regulators look to see if good business practices are in place where they engage with companies. That means a reasonable approach for managing compliance with legislation must be in place into which the POPI requirements have been integrated.
Three Lines of Assurance
A typical standard compliance framework for ensuring regulatory requirements are met, is the Three Lines of Assurance Model based on the concept of combined assurance. It is not possible to create a sustainable solution for POPI unless one has a decent compliance framework to deliver the outputs into. Whoever owns this framework in the company needs to spell out to the person implementing the POPI compliance initiative exactly what is required by this framework.
The important issue to understand is that the first line of assurance is responsible for making sure that the controls that have been implemented are applied in the business. The second line of assurance then need to use the effectiveness measures that have been established to monitor how well these controls are working, in order to manage the POPI risks and to make adjustments where necessary.
Specification of a Compliance Framework
Clearly one needs to have a specification for what the POPI compliance framework needs from the POPI initiative and this would include things like:
- The risk rating of all requirements in POPI (there are 86 of them) for each area impacted in the company;
- First Line of Assurance: the internal controls required for each high risk requirement – a specification of its purpose, where it is to be applied in the organisation, who is impacted, the training required and who is accountable for its application and maintenance (proper use, updated documentation, training material, etc.); and
- Second Line of Assurance: the specification of effectiveness measures for each internal control and who is accountable for applying them and at what frequency.
Our view at TOSMS is that these inputs are key, as they are fundamental to the development of a monitoring program for POPI that dovetails with the overall compliance monitoring program.