Common POPI mistakes laid bare
A lot of South African organisations are making common mistakes as they brace for the newly enacted Protection of Personal Information (POPI) Act.
So said Anne-Marie Pretorius, partner at Bizmod Consulting, speaking during the ITWeb POPI Update 2017 conference in Johannesburg.
POPI, SA's data protection law, was signed by the president on 19 November 2013 and published in the Government Gazette on 26 November 2013. On 10 May 2016, the Portfolio Committee on Justice and Correctional Services shortlisted five candidates for the office of Information Regulator.
With the recent appointment of the Information Regulator to oversee the implementation of POPI, all is now set for a commencement date of the law.
Also speaking at the same event yesterday, advocate Johannes Collen Weapond, full-time member of Information Regulator, said POPI will probably come into play early next year.
According to Pretorius, most organisations are taking a pragmatic approach to POPI, thinking that it is a legal-only project.
"Legal input is very important. Legal experts provide their opinion in the context of the company but typically their area of expertise does not include implementation of the required process, system and behavioural requirements," she said.
Pretorius also pointed out that some organisations are adopting a business-as-usual approach to POPI and will fail in the end. "This is because POPI analysis and 'solutioning' requires dedicated focus to be done quickly and effectively, and operational staff do not have the capacity in their day-to-day work to do this."
The other mistake is enterprises think POPI is only a legal, process or system issue, said Pretorius.
"There is a significant requirement for people behavioural change and awareness for POPI to be successfully implemented. A people change management stream is irreplaceably part of the project team and should be prioritised."
Some organisations also have the false belief that after a successful POPI implementation, a breach will never occur. In all likelihood a breach can occur, said Pretorius.
"It takes one malicious or careless employee to create this. The key is, however, to have early detection and rapid response processes in place to limit impact and to advise the regulator speedily of resolution and impact."
To be ready for POPI, she pointed out that companies must have a full-time core project team that is dedicated to the POPI programme.
"They must also understand that a POPI programme can be used to move a company to mature its processes and do things the right way. It is also important to involve business and end users in a structured way and drive the behavioural changes required."
Finally, she said, organisations must balance pragmatic business requirements with privacy requirements and realise that all issues cannot be tackled. "Focus on the highest risk and highest value-add solutions first."