The Protection of Personal Information Act (PoPIA) is a principle-based regulation, implying that context and interpretation of the regulation plays a role in its application. This means that every organisation has to first interpret the law within the context of their own circumstances, before compliance measures can be tackled. That is why it is preferable to speak of operationalising PoPI within your organisation, instead of merely speaking of complying to PoPI. Operationalising is needed to attain compliance.
Operationalising PoPI refers to the work that needs to get done to take the theoretical perspective of the law and turning it into a reality in your organisation. It is about using the context of the organisation and its customers and translating that into business processes, operating approaches and the ongoing tasks performed by employees every day to create a PoPI compliant culture within the organisation.
Where does one start with such a requirement?
This – on a high level – is a practical way in which you can operationalise PoPIA into your organisation.
- Define your target Operating Model that will support PoPI compliance in future. That is the “Vision” of your project.
- Then draft your Privacy Policies and Guidelines, based on the Regulations.
- Next, do a Gap Analysis between your current and target Operating Models by defining your “as is”, or where you are now, and your “to be”, or where you want to be at the end of the PoPIA project. This will highlight the enhancements needed for process and business practices.
- Based on the Gap Analysis, design the solutions that will bring about the required enhancements to processes.
- Lastly, implement the designed solutions.
A crucial part of implementing the above lies in a clear understanding of what exactly the concept of “change” implies when it comes to operationalising PoPI into your organisation.
The change that is brought about comprises:
- Changes in processes (i.e. to get from the “as is” to the “to be” state). This constitutes around 25% of the total changes that will be required.
- Technology change will be required. This refers to acquiring and implementing suitable security safeguards necessary to protect Personal Information. This type of change makes up around 15% of the total changes to be made.
- People is the last element in the change equation and makes up a whopping 60% of the total change required. This area refers to managing changes in people’s behaviour.It is therefore critical that Change Management forms a key part of the PoPI project to ensure full participation, buy-in and acceptance of privacy changes by all employees. PoPI is not just a topic for the executive suite. Successful compliance hinges on the changed behaviour of everyone throughout the organisation.
Step 2: Design Solutions and Build up a Portfolio of Evidence by Applying a Process Management Approach
The saying goes “if it is worth doing, it is worth documenting”. Nothing is more true than documenting for PoPIA purposes.
A Process Management Approach is invaluable in dealing with two further elements of a PoPIA project:
- Designing solutions for the identified changes to processes and business practices (see point number 4 above) to ensure a PoPIA compliant organisation culture, and
- Building up a Portfolio of Evidence, as required the PoPIA regulations, to show that due consideration had been given to the privacy risks within the particular context of the organisation, and the mitigating steps taken to counter those identified risks.
The Act specifies 48 Personal Information Data elements. Before one can adjust processes and business practices to ensure that these data elements are properly and securely dealt with, one needs to first understand where these data elements are used in the organisation, and how they are processed. To that end, one needs to map the relevant processes where Privacy Information is used. Only then can one define the risks associated with it, which would enable one to come up with solutions to mitigate breaches and reduce security risks.
Process mapping is therefore key in understanding privacy risks. We use a storyboard format form of process mapping*, for its simplicity in being understood and in conveying a large amount of information through the use of images.
This is how it is done:
- Review current processes that had been identified in the gap analysis
- Capture each of these processes (using visual process mapping method, like VizPro®)
- Refine the process map by:
- Identifying the Privacy Information Data Elements used within the particular process;
- Identifying the Privacy related risks pertaining to this particular process;
- Identifying the Controls related to the identified risks pertaining to this particular process;
- Putting together a Risk Matrix.
Keeping in mind the 48 data elements and the very broad definition of the word “processing” (referring to all the steps defined within the Act), process mapping is useful because:
- It shows exactly who is processing personal information (as either the “responsible party” or the “operator”). This is significant as processes outside of your immediate control tend to be high risk areas because the “responsible party” would be liable in cases of a privacy breach of information processed on your behalf, and not the “operator”. Management of these operators might have to be improved in order to become compliant.
- It assists in understanding where we are using structured and unstructured data processing. (Unstructured data processing refers to practices using e-mails, file sharing, share point and cloud computing.) Unstructured processing tends to be high risk processing areas because they are not secure and will need enhanced security safe guards to assure compliance.
This process map, which includes a Personal Information Dashboard, provides at-a-glance information on all the PoPI risks on that particular process. This helps one to not only assess risk areas and assists in planning mitigating actions, it also forms part of a very compelling Portfolio of Evidence of steps to ensure PoPI compliance.
Remember the Y2K scare of 1999 that spread dread and fear as we moved into the year 2000?
PoPIA has the potential to follow in the same footsteps with many using scaremongering tactics to creates fear and confusion about how impossible PoPIA is to implement.
This is not true though.
PoPIA is in fact within your reach. There are a really only a few simple steps to follow to implement privacy successfully within your business.
While it is true that PoPIA is a Regulation, it shouldn’t be seen as “grudge purchase”. It is about protecting the personal information of our clients, our employees, and consumers in general. Ultimately, it is also about protecting of our own personal information.
We should all lead the way in this, if for no other reason than because it is the right thing to do.
For more information on integrating PoPIA into your organization, please get in touch with our team at firstname.lastname@example.org