Four steps to manage change and drive POPIA compliance
Privacy officers need to work with internal stakeholders and broader networks to successfully embed privacy legislation compliance throughout their organisations and ensure that compliance programmes align with business strategy. This is according to OneTrust experts and privacy professionals who were participating in a webinar hosted by OneTrust in partnership with ITWeb this week.
Focusing on the challenges of implementing effective change management to ensure compliance with privacy legislation, the panellists noted that the deadline for compliance with the Protection of Personal Information Act (POPIA) is set for July 1 this year. However, they added that some stakeholders in South Africa believed the July 1 deadline could be relaxed in light of the disruptions caused by the COVID-19 pandemic.
By now, organisations should have their compliance frameworks in place, but people are always the biggest risk.Janine West, Investec.
Whether the deadline was extended or not, protection of personal information and privacy by design has become increasingly important for all global organisations. In addition, the Data Privacy Office is becoming a critical thread working across business units to ensure compliance with legislation and to build trust in the organisation.
Panellists Janine West, data privacy manager at Investec, and Ashleigh Meiring, VP of Data Privacy and Protection at NTT, said POPIA made provision for substantial fines and sentences; and also presented the possibility of action by individuals. “The levels of enforcement and liability mean privacy should be part of the broader risk management programme within the organisation. It is critical that you get this right from the outset, to protect both your reputation and your stakeholders,” said Meiring.
Said West: “We have seen damages claims being made against organisations in the US due to privacy breaches, so it is not just about what the regulator sets out, but also about the risk of liability.”
To embed compliance, organisations need strong change management programmes and ongoing training and awareness campaigns, they said.
“By now, organisations should have their compliance frameworks in place, but people are always the biggest risk. It is important to make sure your people are properly trained and understand the need for compliance. You need to make it applicable to them, with examples of how to apply the legislation in practice and the potential impacts of mistakes and breaches,” said West.
David Longford, territory manager at OneTrust, outlined four key steps for managing change to support POPIA compliance:
1. Secure buy-in
Buy-in must be achieved at all levels of the organisation, from the board through to all employees, said Longford. “It helps to be able to tell a story about the planned programme, and what returns it will bring to the organisation. Building trust and growing competitive advantage are important for business strategy, so it can help if your narrative illustrates how compliance supports trust and competitive advantage, and helps each business unit in their day to day activities.”
Alexis Kateifides, Lead Privacy Counsel at OneTrust noted that risk management was also crucial for the board, so it could prove useful to use global reports and benchmarking to illustrate how privacy compliance supported overall risk management.
2. Normalise the new environment
By using ongoing engagement and collaboration, privacy by design and new ways of running the enterprise become normalised across the organisation, they said. Having compliance champions in every department also helped to support a culture of change.
3. Harness digital transformation
Data privacy leads should collaborate with other departments to reevaluate existing roadmaps and projects, align them with the ongoing POPIA plan, said Longford. “Look at projects around CRMs, servers, applications, remote office footprint changes, data warehouses, and AI and machine learning to look at opportunities to achieve both compliance and transformation goals at the same time.”
4. Create budget
While many organisations did not have a dedicated privacy budget, Longford said budget could be allocated if privacy leads were able to create a narrative with a clear, compelling and calculated vision and illustrate how compliance would support business goals and growth.
Meiring added: “It is important to communicate that a compliance programme isn’t a once-off checkbox; it is changing the way the organisation does everything in future. It involves a massive amount of ongoing effort.”
To hear request a demo, go to: OneTrust Privacy Management Software for South Africa.