Organisational best practice defined by the existence of a Privacy Office

Key to ensuring the success of a Privacy Office, which incorporates data governance, information security and regulatory compliance, is incorporating people change management.

Johannesburg, 20 Nov 2019
Read time 2min 10sec

Cyrus Ndyamba, from Bizmod Consulting, says that a Privacy Office is far more than just about compliance. “For large organisations processing personal information in SA, it is vital that a Privacy Office is established internally.” 

Ndyamba says that a Privacy Office helps to establish best practices regarding privacy, data governance, information security and organisational culture, while ensuring that the Protection of Personal Information Act (Popia) and the Promotion of Access to Information Act (Paia) are fully complied with.

Ndyamba says there are three crucial roles that the Privacy Office is primarily responsible for:

  • Compliance: The Privacy Office is responsible for ensuring that the organisation adheres to Popia and Paia, and that both legislations are clearly understood by the organisation. For entities with operations outside of SA, it is important to ensure that the trans-border requirements are fully understood and complied with.
  • Operationalising the privacy function: Although regulatory requirements are a key driver in the implementation of data protection, operationalisation of privacy further entails positioning the function as a strategic partner in day-to-day business practices. This is best achieved by embedding privacy as a default setting and applying “privacy by design” principles to everyday business processes and activities.
  • Technical implementation: In an effort to enhance the organisation's privacy and security position, certain technical security requirements or system changes need to be implemented by the organisation.It is the role of the Privacy Office to clearly articulate these technical security requirements and contract with technology teams to ensure that these requirements are implemented and realised.

"The risks for organisations not creating a Privacy Office are considerable," warns Ndyamba. He cites the top three risks as:

  • Penalties for non-compliance being issued by the Information Regulator. The Information Regulator has extensive powers, including being able to hold a responsible party accountable for failing to comply with Popia and Paia.
  • The reputational damage resulting from a data breach.
  • Financial loss resulting from a decrease or loss of competitive advantage.

“Ultimately, a key element in ensuring the success of setting up a Privacy Office, which will fulfil the above responsibilities, is incorporating people change management at every step of the process. Regulatory compliance, adoption of 'privacy by design' and organisational adherence to privacy and security controls requires adoption from employees at all levels within the organisation,” concludes Ndyamba.

For more information, visit

Editorial contacts
Inge Lawrence