POPI Compliance Implementation
The POPI Compliance Implementation is one of the first aspects of governance a company should address to ensure a sustainable POPI outcome.
The impact of the POPI Act on an organisation gives rise to an obvious governance issue for a company in the form of a question:
- How formalised should the process of making changes to systems, processes, staff roles and records in the operation be?
POPI talks about a transitional period of one year that may be extended by the minister in certain instances up to a maximum of three years. Clearly companies have to manage the changes through some form of governing body intervention that will ensure the gaps are identified, risks assessed and solutions implemented.
It is key that the solutions implemented are underpinned by POPI controls and effectiveness measures to ensure continued compliance with the legislation, particularly where there are high risks identified.
Employing a structured approach
Once the POPI Act commencement date is announced, there should be a structured approach that gets down to sufficient detail for the solutions to be effective. TOSMS has experienced far too many clients who have had the following scenario: consultants are hired, costing hundreds of thousands of rands, who then provide the client with impact assessments and recommended solutions with such generic outputs that they are literally meaningless and cannot be effective when it comes to complying with requirements at a granular level, where the devil is in the detail.
What is the POPI governing body losing sleep over?
From a governance perspective, whoever is running with the POPI implementation must make sure they are able to deliver to their board or governing body answers to questions that are fundamental to the success of the programme. One example is:
- What is it that the governing body should be losing sleep over because of the impact POPI will have on the operating model?
One needs to have a pretty good idea of what the intended target operating model looks like to answer this question, hence the point about avoiding generic recommendations.
Further questions for which answers will be required will be covered in a follow-up article.