Is your compliance structure up to the task?
The POPI Act is not going to tell you that you now need to consider implementing a more rigorous compliance model. Consider, for example, the Three Lines of Assurance model. Your current model is unable to cope with the added focus required by the Data Protection Act (United Kingdom) or the Protection Of Personal Information Act (South Africa). You can see our service called Setting Up 3 Lines of Assurance Model for more details. We see it a lot where an industry is not as heavily regulated around compliance as, for example, the financial services sector. Along comes new legislation and their compliance structures are just not able to deliver a sustainable solution.
Can your records management regime deliver?
The legislation isn’t going to tell you that your control of records now needs a fundamental rethink. This applies to the level of granularity, and the whole records management model within the company. Grounds for processing, consent, retention, and so many other rules deal with each record. The need for classification and categorisation to manage this may not have been a need before. There are many examples I could site based on our experience. Our TP-RMS Records Management Solution covers these challenges in detail.
A more insidious risk
One of the more insidious risks of POPI is where the people engaged in the change efforts within the company do not know what they don’t know. This is a blind-side that is more difficult to identify and deal with. Where you are dealing with first-time changes for which there are no precedents in the company, one of the risks of POPI is this blind-side raising its head. People cannot offer an input because they do not even know that there is an input to give. Unfortunately ignorance is not bliss.
More About Our Newsletter
References: Information contained in this newsletter includes extracts from the TOSMS online training program: Introduction to Protection of Personal Information Act. The aim of providing this content is to assist individuals dealing with personal information about their clients, suppliers and staff in coming to terms with the extensive requirements and risks of POPI. See Training & E-Learning for more course details.
Understanding POPI In Layman’s Terms: The Information Regulator has been appointed and the commencement date will be the next major announcement by the South African government. This will kick-start the one year transitional period. We decided to embark on an education initiative for everyone who has subscribed to our newsletter. What this means is that we will be unpacking the legislation in bite-size chunks over the next year to provide a useful reference for individuals impacted by the POPI Act. You can subscribe to our newsletter in the footer of our website.
We will include other articles of relevance from time to time. Mostly we will be covering what is in our POPI training program. Obviously it will not be as comprehensive as the training program but will expose the issues for you to then explore further where it triggers the need in your business to consider changes.