Organisations that take a proactive approach to the Protection of Personal Information (PoPi) Act will stand themselves in good stead when a regulator is appointed and the principles of the Act are enforced. This is according to Seugnet van den Berg, MD at consulting firm Bizmod.
“The spirit of PoPi is to ensure that all organisations that hold and process personal data do so carefully and with respect for the rights and interests of the people to whom it pertains. Data protection is here to stay and therefore it’s better to pay attention to it sooner rather than later.”
Van den Berg has the following 5 tips:
1. Start the process by conducting a full audit on the processes used currently in the organisation to collect, store, distribute and destroy any and all personal information;
2. Obtain management commitment and support. This is vital to instil a data protection culture to direct employee behaviour;
3. A series of organisation-wide training should be rolled out encompassing all elements of information protection. The learnings should be reiterated as often as possible. Employees need to change their behaviour towards how they deal with other employees and customers personal information. This requires awareness and education as well as driving a culture that will instil privacy and data protection principles;
4. Identify a multifunctional project team to implement the process required to comply with PoPi. This helps to create the required focus and momentum;
5. Collaborate with your legal department, but involve everyone. PoPi implementation is far more than just a legal compliance requirement. There are operational requirements that need to be implemented to be able to comply, for example the implementation of a secure record destruction process. The legal department can guide the project team on aspects such as forms, standard letters and call centre scripts to give some examples.
Van den Berg says that taking a project approach to PoPi implementation means that each work-stream has its own set of deliverables to help maintain focus and achieve the end result.
“PoPi extends to so many different work-streams, each with their own set of operational requirements needed in order to comply with the legislation. The operational teams rarely have the capacity to implement the requirements on their own, and this is where the project-specific team can assist.”