We offer POPIA and PCI DSS auditing and compliance services
By adopting the following key accelerators, organisations can fast-track their POPIA implementation:
Secure accountability with relevant executives
Accountability is critical for any privacy programme to succeed. It is important for organisations to determine their view of privacy and how they plan to comply with the regulatory requirements. Based on this, agree on a number of key objectives that can be further developed into a strategy and framework to drive the implementation project.
Allocate the Privacy Officer role
By default, the head of the organisation is the Privacy Officer. However, POPIA allows for this role to be delegated. Decide now who will be responsible – will it be the Compliance Officer, Head of Risk or somebody else in the organisation? Take this individual on the journey from the start.
Follow a risk-based approach
Many POPIA programs have been derailed due to teams trying to implement the requirements of POPIA without considerations of their unique business context. A risk-based approach to POPIA compliance, agreed with the Board or Steering Committee, will ensure focus remains on prioritising the most important POPIA compliance requirements first.
Integrate with existing compliance structures
POPIA is a compliance requirement and much effort can be saved by integrating it into existing compliance structures and processes, such as compliance management, risk management, internal audit and audit and risk committee reporting. Without an appropriate compliance process in place, it may be challenging for organisations to drive POPIA in isolation.
Align with other initiatives
It is important to coordinate your POPIA initiatives with related initiatives within your organisation, particularly in areas such as cybersecurity, data classification and PCI compliance to avoid unnecessary duplication of effort and ensure alignment to business objectives.
Drive behavioural change through training and awareness
Change management is a critical part of embedding privacy into the culture of the organisation. Through training and awareness, the culture of the organisation can embrace change in how they handle data, which then results in changed behaviours.
Get help outside the organisation
Develop a risk-based and prioritised implementation plan. Look inside for skills, but reach out for assistance from professionals, such as those with multi-disciplinary teams between privacy, legal, data, advisory and cyber security specialists where you don’t have the skills within your organisation.
How can we help?
We have advised and assisted many organisations, from small enterprises to large corporates, in their POPIA compliance journeys. Based on our experience in providing privacy advisory, legal and cyber security services to our clients we have defined a holistic framework for the management of privacy risk that is designed to enable organisations to leverage good practices that can be tailored to address each organisation’s unique privacy vision and risk exposure.
Training is an important aspect in your POPIA compliance journey. The likelihood of complying with the requirements of POPIA is very slim if the individuals in your organisation do not understand the legislation and the role they need to fulfil to ensure that the purpose of POPIA is carried out appropriately.We provide training at two levels, for executives (owners and directors of an organisation) and for employees (including management). Training covers aspects such as the purpose of the POPIA, insight into the key sections covered by POPIA and training specific to the organisation’s POPIA policy standards.
Who does it impact?
POPIA impacts all South African organisations, both public and private, that collect, create, use, store, share or destroy personal information
What happens if I do not comply?
Non-compliance with POPIA can have serious repercussions for organisations, their employees and their customers.
Impact on organisation
Loss of revenue resulting from negative press, damaged reputation
Losing customer trust
Impact on employee
Disciplinary action and dismissal
Misuse of personal data
Private or confidential data being published
Key questions you should be asking:
Where do I start?
How can I prioritise my implementation activities to comply with POPIA?
What is the POPIA impact for my organisation?
What data do I process and why?
Where is data stored?
Who do I share data with and why?
Is my data secure?
How do I maximise the value of my data in a legally compliant way?
Is my organisation affected by other privacy laws in countries I operate out of?