POPI is about incremental onboarding
There is a need to shift a company’s entire culture when implementing POPI. One will not be able to change things overnight. Onboarding POPI will be an incremental process.
During the management of a POPI project for a South African Fortune 500 company in 2007, TOSMS researched the United Kingdom’s Data Protection position. TOSMS wanted to provide guidance for this project based on UK company learnings. Many of the UK companies interviewed all said the same thing when it came to complying with data protection legislation. A company is only as good as the people in the company doing the right things.
Shifting the culture and changing the habits of staff will take time. South African companies will need to start with the people directly involved in the analysis and development of solutions for POPI compliance, followed by other staff. Staff would need to be educated to a suitable level of understanding. This will need to be reinforced regularly and built into performance contracts. This is especially true when their work has a material bearing on the level of assessed POPI risk.
POPI demands a thorough knowledge of data processing
Over the last ten years, TOSMS has been directly involved in many POPI projects in South Africa. The experience was that not one client had a decent understanding of what they did with personal information. Certainly not with sufficient clarity to be able to answer questions about the processes, people and systems that were processing records containing personal information.
Without this detail it is not possible to understand the size of the impact and what is needed to comply with the POPI Act. This is a huge challenge. It is the reason TOSMS has developed an automated solution for carrying out data inventory exercises for clients. Details are captured about the records, types of information held, people, processes and systems involved and other core details required.
The sheer volume of personal information being processed
A big challenge with implementing the POPI Act is the sheer volume of transactions being processed by companies. These processes occur on a daily basis. How does a company keep control of all these transactions? How do they comply with the multitude of rules that have to be factored in to this processing due to POPI?
This situation is impacted where larger companies have their own systems environment with numerous different applications with their own repositories of data containing personal information. On top of that, companies will also have the information of subsidiaries and third parties that they are accountable for.
There is an ever-increasing need for compliance to be fully automated in order to handle the volume of transactions. Rules have to be applied to the processing taking place throughout the life of such records.
Latest advances in application programming interface (API) technology make this possible. You can read more about this on the TOSMS website under the section that deals with the TP-RMS solution.
More About Our Newsletter
References: Information contained in our newsletter includes extracts from the TOSMS online training program Introduction to Protection of Personal Information Act. The aim of providing this content is to assist individuals and companies in South Africa who are dealing with personal information about clients, suppliers and staff in coming to terms with the extensive requirements of the POPI Act. You will find more details on the course here.
Understanding POPI In Layman’s Terms: With the South African Information Regulator having been appointed, the next major announcement by government will be that of the effective date of the POPI Act. This announcement will kick-start the POPI one year transitional period and TOSMS decided to embark on an education initiative for subscribers to our POPI newsletter. What this means is that the POPI Act will be unpacked in bite-size chunks over the next year through a regular newsletter, to provide a useful reference for individuals impacted by the Act. You can subscribe to our newsletter in the footer of our website.
We will include other articles of relevance from time to time. Mostly, we will be covering what is in our POPI training program. While it will not be as comprehensive as the training program, it will expose the issues for you. You can then explore further where it triggers the need in your business to consider changes.