POPIA – How to start your compliance project

Posted on

Considering the just announced POPIA “go live” date, Ilze Luttig Hattingh of Novation Consulting, advises on seven things you can do to kickstart your POPIA compliance project – even during a worldwide pandemic:

1. Assemble a project team
2. Do an information governance (IG) maturity assessment
3. Work out a high-level project plan
4. Work out a budget
5. Do a preliminary investigation
6. Review your current policies
7. Draft your POPIA Compliance Framework

How should you action a preliminary investigation?

Hattingh advises that a good starting point is to set up some time with senior managers and get a sense of where and how your organisation uses personal information. She identifies a few questions you should answer:

What customer information do you collect?
How do you collect it?
Where is it stored?
What employee information do you have and where do you store it?
What services providers do you use that have access to your customer or employee information?
Do you do direct marketing? How?
Do you sell datasets that contain personal information?

It’s also important to review your current policies and to draft a POPIA Compliance Framework.

The framework should:

Define the aim and principles of your POPIA compliance programme.
Identify the roles and responsibilities within the programme.
Include a policy development and alignment plan.
Set out a policy implementation plan.
Describe your approach to risk assessments.
Describe your approach to compliance monitoring.

Click here to read the article, as well as access other insightful content.

Don’t be lulled into a false sense of complacency, thinking you still have a year to get your ducks in a row. Now may be the best time, while we wait for the pandemic to pass.