The Planning phase is to ensure that everybody in the business is prepared for the developments which the Protection of Personal Information Act (POPI) will bring.
The first phase of Awareness which was discussed in the previous issue, highlighted the steps to be taken to make the responsible parties aware of their role. The Planning phase is to ensure that the governance structures are identified. This phase can be seen as a three step plan of assessing, analysing and defining solutions.
Step One – Assess
Assess what the privacy impact is on your business. In order to determine this, you have to map the activities of your business and not merely the type of information that you deal with. Mapping your activities relates to those activities which are at the core of your business.
Questions which should be asked are:
- What are our biggest risks?
- What activities do we perform which involve Personal Information?
- What documents will be affected?
- Is our main business activity threatened?
Step Two – Impact Analysis
Once you have identified these activities, a Risk/Cost Impact Analysis should then indicate which aspects of your business will be most impacted by POPI. This analysis will also indicate where the gaps in your business are that relate to the safekeeping of personal information.
Important questions to ask in this step are:
- To which aspect of my business will POPI apply?
- What does POPI require me to do on an operational or day-to-day basis?
- What are we currently doing and what will have to change?
Step Three – Define Solutions
After the assessment and analysis has been completed and the gaps have been identified, you will then be able to determine which solutions will work best for your business and in your practice. A privacy strategy can be designed to focus on the gaps and the affected areas of the business. Each organisation should have a privacy strategy that suits their specific needs. The goals of your business will determine the privacy strategy which could take the form of absolute compliance, minimum compliance, spending the least amount of money for biggest impact or preventing sanction by the Regulator. There is no standard strategy and one has to be designed according to the requirements of the business.
In order to determine solutions, you will need to identify those documents which may need to be amended or implemented, such as:
- Information Security Policies
- Employment contracts
- Mandates with third parties
- Customer facing documents
This three step process will help to map the business’ core activities against the requirements of POPI. It will establish the gaps and focus areas which will assist in identifying those company documents and processes which will have to be amended or implemented.