COMPLIANCE SERVICES

We offer POPIA and PCI DSS auditing and compliance services

By adopting the following key accelerators, organisations can fast-track their POPIA implementation:

Secure accountability with relevant executives

Accountability is critical for any privacy programme to succeed. It is important for organisations to determine their view of privacy and how they plan to comply with the regulatory requirements. Based on this, agree on a number of key objectives that can be further developed into a strategy and framework to drive the implementation project.

Allocate the Privacy Officer role

By default, the head of the organisation is the Privacy Officer. However, POPIA allows for this role to be delegated. Decide now who will be responsible – will it be the Compliance Officer, Head of Risk or somebody else in the organisation? Take this individual on the journey from the start.

Follow a risk-based approach

Many POPIA programs have been derailed due to teams trying to implement the requirements of POPIA without considerations of their unique business context. A risk-based approach to POPIA compliance, agreed with the Board or Steering Committee, will ensure focus remains on prioritising the most important POPIA compliance requirements first.

Integrate with existing compliance structures

POPIA is a compliance requirement and much effort can be saved by integrating it into existing compliance structures and processes, such as compliance management, risk management, internal audit and audit and risk committee reporting. Without an appropriate compliance process in place, it may be challenging for organisations to drive POPIA in isolation.

Align with other initiatives

It is important to coordinate your POPIA initiatives with related initiatives within your organisation, particularly in areas such as cybersecurity, data classification and PCI compliance to avoid unnecessary duplication of effort and ensure alignment to business objectives.

Drive behavioural change through training and awareness

Change management is a critical part of embedding privacy into the culture of the organisation. Through training and awareness, the culture of the organisation can embrace change in how they handle data, which then results in changed behaviours.

Get help outside the organisation

Develop a risk-based and prioritised implementation plan. Look inside for skills, but reach out for assistance from professionals, such as those with multi-disciplinary teams between privacy, legal, data, advisory and cyber security specialists where you don’t have the skills within your organisation.

Talk

How can we help?

We have advised and assisted many organisations, from small enterprises to large corporates, in their POPIA compliance journeys. Based on our experience in providing privacy advisory, legal and cyber security services to our clients we have defined a holistic framework for the management of privacy risk that is designed to enable organisations to leverage good practices that can be tailored to address each organisation’s unique privacy vision and risk exposure.

Privacy training

Training is an important aspect in your POPIA compliance journey. The likelihood of complying with the requirements of POPIA is very slim if the individuals in your organisation do not understand the legislation and the role they need to fulfil to ensure that the purpose of POPIA is carried out appropriately.We provide training at two levels, for executives (owners and directors of an organisation) and for employees (including management). Training covers aspects such as the purpose of the POPIA, insight into the key sections covered by POPIA and training specific to the organisation’s POPIA policy standards.

Who does it impact?

POPIA impacts all South African organisations, both public and private, that collect, create, use, store, share or destroy personal information

What happens if I do not comply?

Non-compliance with POPIA can have serious repercussions for organisations, their employees and their customers.
Impact on organisation
  • Financial penalties
  • Criminal sanctions
  • Loss of revenue resulting from negative press, damaged reputation
  • Losing customer trust
Impact on employee
  • Disciplinary action and dismissal
  • Misuse of personal data
  • Private or confidential data being published

Key questions you should be asking:

  • Where do I start?
  • How can I prioritise my implementation activities to comply with POPIA?
  • What is the POPIA impact for my organisation?
  • What data do I process and why?
  • Where is data stored?
  • Who do I share data with and why?
  • Is my data secure?
  • How do I maximise the value of my data in a legally compliant way?
  • Is my organisation affected by other privacy laws in countries I operate out of?