The corporate world is currently debating the Protection of Personal Information Bill (POPI) which will soon be promulgated. Much of this debate centres on how onerous the minimum requirements for compliance will be, how long organisations will be given to comply and what the cost implications are likely to be.
Many companies have chosen to take a ‘wait and see’ approach. “Our experience has shown that those companies that see regulatory changes as an opportunity for increasing business value adopt a more positive, proactive approach and also spend considerably less in achieving compliance over the long term,” comments Dean Chivers, Director Tax & Legal, at Deloitte. “They are able to link compliance requirements to the entire value chain of the business so that each functional area buys into its importance, realises the value that can be delivered to the business and collectively bring about change to realise this value.”
Chivers cautions that companies should implement POPI compliance as prudently as possible. “Be realistic – your organisation will not be completely compliant by the time the Act is promulgated in September. POPI is not exclusively a IT or legal or a process or a security issue, it’s a combination of all of these. Create the framework within which POPI will be managed within your organisation, and then build awareness amongst staff around both POPI and your entities POPI compliance framework. This will start to drive POPI issues into your framework, thereby facilitating a proactive, self regulating model.
” Kris Budnik, Director of Risk Advisory, at Deloitte, recommends that a response strategy be established, with the responsible person being one who understands what the law requires.
“Decide on your corporate ethics policy and define and communicate it, teaching your organisation to look out for problems,” says Budnik. “Take the approach that you have done the best you possibly could have. When a problem arises, react quickly and correctly to deal with it and close the loophole. Look for triggers that indicate your processes are not working properly.
” According to Chivers, the POPI Bill will be the catalyst for companies to add value while achieving compliance. They should engage with their customers in the process and use it as an opportunity to build customer trust in the company by highlighting the company’s efforts to treat customer’s personal information with respect and confidentiality.
The following are just some of many opportunities:
There is tremendous advantage to be gained from proactively engaging customers ahead of promulgation, for example:
- Positive customer approvals are more likely to be obtained prior to promulgation and prior to the market being flooded with requests;
- Valuable insights can be obtained from a company’s existing customer database now, ahead of customer requests for data deletion;
- Customers will become aware of the fact that POPI will result in the protection of their personal information, something most people will appreciate. Company’s who lead the market in becoming POPI compliant will gain customer respect and loyalty;
POPI can also deliver many potential positives within a company, to name a few:
- Technology gets the budget go-ahead for middleware and data warehouses, new SAP modules, data security upgrades, etc, which add value when linked to the overall business strategy
- Data analysis of personal information for purposes of POPI compliance can yield significant useful information around customers and markets
- Provides positive motivation to interface with customers, alumni, potential employees, personal networks
- Employee files get updated and remain up-to-date
- Contracts are reviewed and updated and may even be better than before
Budnik recommends that the initial step should be a quick start process prior to promulgation, followed by detailed design and implementation of value-adding initiatives. This will allow the company to gain momentum and build a platform for future opportunities. Firstly, understand the extent of POPI impact on customer and channel strategy, brand positioning and employee proposition; determine possible impacts on people, processes, technology and systems; and define key data requirements for business sustainability.
Thereafter, look at the following opportunities:
- Identify value-adds beyond minimum compliance
- Design customer interactions to increase market share
- Realign processes for a more customer focused organisation
- Link to other initiatives such as process streamlining, productivity improvement and employee communication
- Select technology to support more than just data integration, e.g. non-intrusive technology options ranging from cloud technology, to separate software and simple upgrades
- Build the customer focused organisation by digging deeper into existing customer data
- Use an approach that first establishes the organisational needs and gaps before moving to an ‘all ends at once’ implementation
- Adopt a ‘build to last’ approach for ongoing organisational sustainability
In summary, organisations can gain measurable business performance improvements by approaching the Protection of Personal Information Bill as a strategic opportunity rather than an onerous compliance cost. Realising this potential value from the Bill, however, requires a shift in organisational mindset.
“Don’t be limited or restricted by your existing database,” says Chivers. “Use it as a contact list and first cut segmentation, design a meaningful database for future strategy and populate it by means of an automated permission campaign; don’t be restricted to a single tool or methodology – select those which are most appropriate for your needs; ensure your approach is strategic. Include change management in your implementation; don’t be purely focused on data analytics, ensure that your approach is aligned to your business priorities as well as people, process, technology and system enablers.
” Chivers goes on to say “Every article or advertisement I have ever read on POPI compliance states that POPI compliance needs to start with an analysis of data. This is complex, expensive, takes time and not necessarily effective. Understand your IT, legal, process and security options before jumping on the analysis bandwagon. Ask yourself whether an analysis of data gets you closer to compliance. POPI compliance will require a level of data analysis at some point in the process, but rarely at the outset. Analyse the options and consider the best process for your company. There are a number of options, so give yourself the best chance of adopting the most appropriate one for your company.”