Preparing for POPI begins with processes
Arthur Bucas - associate director at Ovations and head of ECM and BPM
The Protection of Personal Information (POPI) Bill, due to be signed into law imminently, places substantial demands on any business that deals with personal information, whether that of its own employees or of consumers. Key to achieving and maintaining compliance with the Bill is effective management of business processes and instituting sound content management practices.
Business process management is usually the first stage in capturing information, which makes getting it right all the more important in light of the Bill. If processes, particularly automated ones, are not compliant with POPI, a company sets itself up for potentially costly problems down the line, given the bills' proposed punitive measures, which include fines of up to R10 million or 10-year prison sentences.
It's equally important that companies play close attention to content management, says Arthur Bucas, associate director at Ovations and head of ECM and BPM. In addition to needing to meet POPI's stringent security and access requirements, companies need to be able to produce personal information on request and be able to demonstrate that redundant information has been properly disposed of, and that remaining content can't be used to reconstruct it.
Moreover, creating and enforcing sound content management practices makes good business sense, because having organised, accessible content enables a company to make use of it to glean insights about its business, whether about customers, products, processes or potential opportunities.
Most companies don't have their processes properly documented, nor can they tell at a glance which processes have personal information associated with them. In such cases, the best place to start is with a process audit that will indicated which processes are impacted by personal information, help document each, and check whether they are compliant.
Where processes are not compliant, an audit and assessment of them can help to show a company which processes need to reengineered. This reengineering should always be done with the support of a proper change management initiative. If using a third-party vendor to do so, it's crucial a company ensures the vendor has a thorough and comprehensive understanding of POPI itself.
Many companies are underestimating the scope of POPI and the burden of achieving compliance. Though businesses will have 12 months to comply with the Bill once it is passed, for large companies with enormous quantities of personal information, the magnitude of the task is difficult to quantify.
Take, for example, the large financial institutions, which may have personal information on clients in disparate locations or departments. Once POPI is enacted, any consumer can demand to see all of this information, ask what it is used for, and ask how and where it is stored. Being in a position to answer all of these questions presents a massive challenge for any business.
There's also a common misconception that POPI only applies to multinationals or other large corporate entities. That's simply not the case. Even a self-employed person, who keeps information on his/her clients, from a plumber to a hairdresser to a delivery business, will be required to meet its requirements.
Further, it's not enough to know where and how personal information is hosted, but in order to achieve compliance, companies need to be able to demonstrate that the applicable data they hold is secure and that only those people within the organisation that ought to have access to it, do. Where POPI is concerned, privacy policies and procedures should govern who has access to personal information and what they are able to do with this information.
The businesses that will be least impacted by POPI are those that have already begun to plan for it. By setting goals for what your companies' personal information policies and practices should look like in a year's time, you can help ensure the Bill doesn't negatively impact your business, or your bottom line.
Equally important is ensuring all staff affected by the Bill - and that's likely far more of them than you think - are properly educated about it. POPI is as applicable to executives as it is junior staff, thus it's equally important that each group is aware of their responsibilities with regards to the Bill. In all matters relating to POPI, being prepared now could prevent a (potentially expensive) crisis later.
Ovations is equipped to help companies define a strategy and roadmap to enable POPI compliance. It provides a complete and holistic execution that interweaves the key areas of people, processes and technology throughout the organisation. Ovations can conduct audits and create an appropriate POPI strategy, along with a roadmap to implement that strategy. POPI is all but finalised, but don't let it take you by surprise.