You know that you need to be POPIA compliant, but don’t lose sight of the bigger picture: effective data management has massive benefits beyond checking boxes, including heightened security and governance, and reduced risk.
POPIA compliance is a journey, not a PowerPoint slide
Compliance with the Protection of Personal Information Act (the POPI Act or POPIA) is not something that is achieved after a single assessment, or by simply completing a round of internal training.
Achieving meaningful compliance is a journey. In our extensive work across industries and organisations we’ve seen that some journeys are more advanced than others. Highly regulated sectors – finance, health, aviation – and larger companies with more resources have typically made real progress. Smaller companies, those in less tightly regulated industries, and some state departments may still have a way to go.
The bad news: it’s dangerous out there, and there’s a lot at stake
First, the bad news. Non-compliance with POPIA doesn’t only open you up to punitive action, it increases your chances of data breaches and loss of personal information. That carries with it significant business and reputational risk.
We’ve seen this played out again and again. In South Africa, personal data related to more than 1.4 million people was illegally accessed from the servers of debt recovery agents Debt-IN in April this year. Data pertaining to 24-million people and nearly 800 000 businesses under the control of credit bureau giant Experian was exposed in late 2020. Even the South African National Space Agency (Sansa) was the recent victim of a cyberattack, with 20GB of data stolen from its servers.
Internationally we’ve seen spectacular breaches occur in exceptionally high-profile companies. In 2019 1.1 billion pieces of user data were scraped from the Alibaba Chinese e-commerce site, Taobao. In June 2021, LinkedIn saw data associated with 700 million of its users posted on the dark web. And in September this year, WhatsApp was ordered to pay a penalty of 225 million euros (nearly R4 billion) for failing to be transparent about how it handled personal information under the EU’s GDPR legislation.
The good news: clever data management can be a huge business advantage
Here’s the really good news: if you take a long-term, constructive approach to POPIA, and embed it in a holistic data-management and data-governance strategy, you can expect to see a host of tangible benefits accrue to your organisation.
- Engaging with POPIA requirements forces you to examine your systems and processes, thereby identifying areas at risk of breach.
- Strengthening these areas doesn’t just mean you’re not liable for punitive measures, it reduces reputational, financial, legal and business risk.
- Info can be decluttered, data can be enriched, and this discovery process can, in our experience, lead to new business opportunities.
- Proper data management might start with POPIA, but it has much wider application.
- It leads to better, more trusting relationships with the public, your customers, and clients.
- It offers opportunities for efficiencies, automation and rationalisation that might not otherwise have been exposed.
In summary: making real headway on the POPIA journey is not just going to make you compliant, it’s going to make your data management more efficient, more valuable, and more secure.
Build trust, keep your business data safe and secure
Protecting your data means protecting your company, your employees, and your customers. Apart from the legal ramifications, it’s just the right thing to do.
Some consultants offer advisory, some offer implementation. We do both to SOLVE for our clients’ needs, and as a result we’ve been able to deliver value-adding work across a wide range of public and private-sector organisations.
Our multi-disciplinary teams could include business analysts, project management, legal, regulatory compliance and software development, depending on your requirements. They have access to a toolbox of solutions, which allows us to drive rapid assessment and implementation of compliance actions. These tools include
- POPITools - our implementation platform which provides the foundation of our approach. The platform intelligently reduces the clutter and complexity of the regulations, focusing on immediately actionable points and streamlining the compliance process.
- A user friendly, cloud-based POPIA task list implementation tool developed in collaboration with the developers of BarnOwl GRC - we’ll share more about this exciting initiative in future.
- Spotica https://ioco.tech/partner/spotica/ - a virtual cyber security officer in a box that will assist you with your cyber security posture and guide you on your cyber security journey.
- Cerebro – our business and workflow management platform – GRC in a Box. The functionality within the platform allows for different business processes to be configured. Think Quality Assurance, Governance Risk & Compliance, eLearning Management, Support Services, Project Management, Employee Performance Management and more.
- The iOCO ICT assessment platform - provides assessments of COBIT, ITIL, ISO27000 and NIST compliance, gap to target state as well as implementation tracking. The platform also provides a full learning management system (LMS) where employees can be given POPIA and GDPR awareness training and assessments of individual awareness or competency.
POPIA is a journey you are required to make. But it doesn’t have to be a hurdle. Instead, it can be a big step forward. Wherever you are on the POPIA journey, our advice is this: change your mindset from check-box compliance to secure, lasting business value.
By Karus Prinsloo (Advisory Manager) and Leone Theron (Consultant, Advisory)