Compliance and Governance
Where do you start?
POPIA has been in effect from 1 July 2021. Businesses are still unsure of what needs to be done to be compliant or if they are indeed compliant. At CX Consulting, we are there to assist you with the process to ensure you do comply.
While ensuring compliance might seem overwhelming, it can in fact be achieved in five easy steps:
- Appoint or reassess the role of the information officer. In terms of the regulations under POPI, the duties imposed on the information officer have been extended and now include certain mandatory duties. The default information officer of a private body is its head, which is generally the CEO, unless it has been delegated. The first step to compliance would therefore be to appoint an information officer if the organisation does not already have one, or to reassess the role of the existing information officer in line with the requirements set out in POPI
- Create awareness. In order to ensure effective compliance, buy-in from senior management all the way down the chain of command is needed. Make sure employees understand what data privacy legislation entails and what is required of them. This can be achieved through interactive awareness training.
- Personal information impact assessment. Once all employees are informed, self-assessments and audits should start throughout the organisation, within each business unit. It is important to understand what information is collected, how it is collected, by whom it is collected, what it is used for, how it is stored and processed, how it is retained and destroyed and whether it was collected with the necessary consent. Once self-audits are completed, there should be a clear understanding of how data is being processed in the organisation, and it will be in a position to identify gaps and produce a clear gap analysis and risk assessment report.
- Develop a compliance framework, which can include processes and policies. A proper gap analysis will help identify which processes and policies have to be put in place.
- Implementation. The compliance framework should be implemented, monitored and maintained. Policies and procedures do nothing to aid compliance if they not properly implemented. The last step to compliance would be to ensure the proper implementation of new policies and procedures through in depth training, awareness campaigns, annual re-training and compliance audits.