In order for a financial institution to become POPI compliant it will not be a once-off project; but will require continuous activity and ongoing commitment. It must be mandated from the Board (or equivalent), implemented by senior management and supported by all levels of management and risk owners in order for it to be sustainable.
In a small business this would mean that the owner/manager must take responsibility to ensure that the required steps are put in place and carried out by staff members. The implementation process will therefore consist of Communication and Consultation.
Designing an effective process to manage implementation
The communication process must be well designed to support effective implementation. This can be done by defining the context of the organisation’s POPI framework, formulating a POPI policy, embedding processes into practice, assigning resources and determining responsibility. These are all key elements of designing an effective process to manage implementation.
Well-designed and regular reporting to stakeholders and effective communication mechanisms will support effective implementation. Once the framework has been designed, implementation is about putting the theory into practice and by communicating its purpose to all stakeholders on all levels. Specifically, it is about ensuring that the POPI process is understood by risk owners, operators and data subjects through good communication and training, and that implementation activities actually take place.
This can be achieved through communication and consultation channels ranging from assessments, workshops, internal controls or POPI awareness campaigns. This type of communication ensures that decisions and business processes actually factor in risk-thinking throughout the organisation. In totality, this type of risk-thinking will add value in the organisation as the staff will approach personal information with that type of thinking.
The implementation process can start by designing a framework on handling personal information. The framework will then be built based on consultation with all relevant parties. The process of pre-implementation can then start in order for all staff to test whether the designed POPI framework is suitable and cost effective to the business. It is important that management consistently communicate their support to the key players. It is imperative that management leaves no doubt about how crucial it is for the business to be POPI compliant.
Some ideas for implementing POPI
- Design the implementation plan in line with the business’ awareness framework.
(Refer to Part I of this series where we discussed Awareness.)
- Decide if you need prior authorisation from the POPI regulator in order to process personal information.
- Determine whether you qualify for an application for exemption of processing (refer to section 37).
- Draft and review your PAIA manual. (There will be one regulator for PAIA and POPI.)
- Consider getting cyber or POPI insurance. POPI claims will not by default be covered under existing PI cover.
- Put an unsubscribe link in all communications.
- Ensure that staff who send bulk e-communications complete a POPI checklist before sending.
- Review all marketing consent clauses at the time personal information is collected.
- Ensure that opt-out options are not complicated.
- Review any communication whereby a person is asked to opt-in to a newsletter.
- Identify what changes to existing systems are required.
- Create separate IT projects for changes.
- Identify whether new systems may be required.
- The database of customers must be clearly split between existing clients and prospective clients.
- Determine how customers will have access to their personal information on your systems.
- Systems must specifically protect account numbers (e.g. bank account no; pension fund no; membership no; investment no.)
- Review customer-facing documents.
- Review the current complaints procedure to incorporate complaints from data subjects (to ensure that customers complain to you and not to the Regulator).