The practicality of POPI
Dr Danie Strachan, partner at Adams & Adams, says it is important to do a high-level analysis of the personal information in the company before embarking on the POPI implementation journey.
Companies should be doing this now and not waiting for the long-anticipated commencement date.
He says organisations should have already started to identify the risk areas and be working on these. Alongside this activity, there should be a task team that takes on the responsibility for POPI compliance and readiness.
ITWeb Events spoke to Dr Strachan regarding his presentation at the ITWeb POPI Update II on 22 November, to establish why it is important that companies practically understand POPI and the consequences of not doing so now.
ITWeb Events: You are presenting an introduction to POPI - why is it important that organisations get to grips with the 'basics' before moving forward with implementation?
Strachan: There are many misconceptions surrounding POPI. Many people do not even realise POPI is not yet properly in force. Organisations need to understand when POPI will apply to them, and when not. If they understand how POPI works, they can adapt their processes accordingly.
Some organisations will be able to remove some of their activities from POPI's reach by making simple changes. For example, if data falls outside the definition of "personal information", the relevant data will not be covered by POPI's provisions. Accordingly, some organisation can change their data-gathering habits to avoid collecting data that constitutes personal information.
ITWeb Events: What are the three key factors to consider when preparing for POPI?
Strachan: I would say firstly, determine what kind of personal information you are processing and why you are processing it. Secondly, you need to accept that POPI compliance is necessary to avoid fines and reputation damage, but that it can also make your business more efficient and streamlined. Lastly, it is important to raise awareness in your organisation. It makes it easier if people in your business are familiar with POPI's requirements and know where the issues lie.
ITWeb Events: Why, in your opinion, are many organisations employing a 'wait and see' attitude when it comes to POPI?
Strachan: People seem to think POPI might not be enforced and that the regulator will not have teeth. This could be the result of them being used to less effective enforcement in other areas.
ITWeb Events: For organisations that retain large quantities of personal data - what should their first POPI action be?
Strachan: Identify the various types of information being collected and retained. Decide whether you can limit your collection and retention practices. Determine whether you need all the information currently being retained and whether some of it can be deleted.
ITWeb Events: What is the first question that most clients ask when engaging you in conversation on this subject?
Strachan: What is the current status and where should we start?
ITWeb Events: Why did you say yes to presenting at the upcoming POPI Update II? What is it that you bring to the table and what do you want attendees to take away with them after your presentation?
Strachan: I enjoy engaging on data protection and privacy discussions and find it a fascinating area of the law. I like to clarify the topic for people and make it relevant and practical for them. I would like attendees to leave the event with a broad understanding of POPI's requirements and clarity regarding the way forward.