Acceptance of a privacy culture vital for organisations to achieve POPI Act compliance
Complying with the Protection of Personal Information (POPI) Act is a multi-layered exercise that includes governance compliance to new processes, closing gaps and securing personal information. Paul Raath, Consultant/Change Manager at Bizmod, says it is not a quick fix and the most important fundamental for all organisations is to ensure the adoption of a privacy culture by all employees is achieved.
Despite organisations jumping through hoops and ticking all the boxes, if employees don’t embrace the change and adopt a strong privacy culture, the company’s s privacy programmes will fail.
Implementing new policies and procedures are an unavoidable part of the process and employees will be required to adopt the new ways of working within the parameters of the POPI Act. Raath says: “In a manner of speaking, the rules of the game change and the overarching question is how do you get your players to play by these new rules?”
For any project to succeed, user adoption is a function supported by change management. The objective of the change manager is to engage stakeholders and educate them on the changes required, and in this case, in compliance with the Act. Raath says building a privacy culture is not the easiest of tasks, but it is imperative. “We are only ever as strong as our weakest link.”
Raath says organisations face different challenges, but the most common hurdle for organisations is the human predisposition to resist change. Humans are creatures of habit and try to avoid change whenever possible.
Change management is well equipped to implement strategies to assist a team experiencing change and guiding them through the various stages. Raath says communication campaigns, including face-to-face sessions, training, the digital landscape and even exciting activations all form part of an adoption campaign to a privacy culture.
A strong campaign is often enough to lay the foundation for change initiatives to come. “However, due to the current increase in organisations working from home, the end-users are often overwhelmed by an influx of communication. POPI is by no means the only issue vying for an employee’s attention and thus the change manager needs to find a way to work around this challenge,” says Raath.
The human element can sometimes be missing in the adoption campaign, creating a barrier to accepting the change. “Often, the change team is an external resource to the organisation, so no prior relationship with employees exists,” says Raath. In situations like these, a strong change agent network is immensely valuable. While a change team’s reach is generally limited by the size of an organisation, a network of change champions can act as the eyes and ears on the ground, Raath says, by creating a formalised network of informal influencers or change agents who are then able to communicate the messaging. They are able to take the change initiatives and push the awareness of it further.
“These agents already have strong working relationships with their teams and an e-mail or training session sent by them automatically gives the message more credibility than if it was sent by a stranger,” says Raath.
All these elements will assist an organisation in having its employees accepting a privacy culture. “It must be stressed that creating this culture is by no means a once-off exercise, but rather an ongoing process. Growth takes time, and if what you are growing relies on human emotions, you should expect it to take even longer,” says Raath.