With the deadline for the Protection of Personal Information Act (POPIA) coming into effect in a matter of weeks, companies are driving towards compliance and have been hard at work to prepare for this − in most cases for years.
At the Argility Technology Group, we embarked on the compliance programme many years ago, which has left us in a confident position that our company has always taken protection of personal information seriously, and that the process would not turn out to be an onerous one.
The sheer volume of work required is, of course, still daunting in terms of the man hours necessary to get to the finish line.
Having appointed our CEO as the chief information officer who takes full responsibility for our compliance, we set out three years ago to strategically and methodically embed compliance across the organisation.
With the support of a team of 15 people and every department across the organisation committed to the management of their own compliance processes, the challenge of documenting every process and running gap analyses, educating staff and collating reports has usurped hundreds of man hours since we began the process in 2018.
When compounded with the normal commitments of running the business and meeting all strategic targets, this has been challenging, to say the least.
This process, while daunting when trying to articulate the Act and tie together the various components, has been a good one. In many instances, it was a matter of clarifying what is required and seeing it is already in place. The process also helps to identify gaps − going forward it unquestionably adds another level of governance and trust, both internally and for our customers.
Compliance demands a change in behaviour wherever a business works with data.
My advice to all businesses on the POPIA journey − and we are all in it up to our necks − is to exercise an abundance of caution, meticulously follow all the paths I have outlined in the foregoing and then commission consultants to verify you have not only done enough, but have done it correctly. This latter is more likely to produce a peaceful night's sleep without POPIA nightmares breaking through.
Across the South African market, we encounter many large enterprises that − like us − have been on a compliance journey for years, but for many, the work performed to date will not be enough to meet the deadline.
Flurry of comms in run-up to the deadline
We are now seeing signs that the challenge isn't over: many companies are already sending out their letters requiring confirmation of POPIA compliance, and this is set to become a flurry of mails between business networks across the country over the next couple of months.
Responding to these and attending to risk ratings for every department and every process will become increasingly time-consuming and is not to be taken lightly. We are all in the same boat, and of course, we are also sending out our mails to third-party suppliers and recording responses.
As with every business in the country, we must evaluate these responses in terms of risk ratings and compliance − the POPIA buck does not stop with your business but also applies to all your business associations. So, there will be questions that surface around responsibility and accountability for commercial implications, data on shared infrastructures and in transit via third-parties external to the entire environment, to name a few.
Third-party operators and vendors that process personal information must, in terms of POPIA, provide assurances of the necessary security and compliance measures, but we are all possibly set to encounter grey areas, such as when a customer processes data using a system built by a vendor, particularly if the agreement is a subscription model. If the data belongs to the customer, and is processed under the authority of the customer, should the developer of the system have any accountability?
Questions such as these will spark debate. In business today, there are many overlaps and ripple effects, and where one system impacts or integrates with another, the responsibility for managing and securing the data is not always clear.
Any company in the position of providing services to businesses is a data operator, but they are also a data processor within their internal structures and processes, raising a potential need to negotiate the impact of compliance and shared risk models. All organisations in this position will need to address the question of how to ensure third-parties they engage with remain compliant.
This is an ongoing process and will not end with the July deadline. Compliance demands a change in behaviour wherever a business works with data. It requires ongoing control and maintenance, with governance committees meeting regularly to assess and review measures. Compliance must become a part of your processes − across every department, partner, supplier and individual involved.
Indeed, it is already a culture at our organisation, and I feel this is how all companies must approach this daunting task.
Share