The key question is “Where to Start?”
ITS Support provides the answer to this pertinent question and can assist you with each step on your journey to compliance.
We recommend our very successful POPI to Practice 10 step approach as listed below:
Our POPI to Practice Approach includes the following easy to follow actionable steps:
Step1 – Define a POPI to Practice Project
OUR APPROACH: Your first step to compliance is to define a POPI to Practice action plan, project or program.
WHY WE DO IT: The extend, comprehensiveness, size and costs of your plan, project or program are dependent on the size of your business, for example:
Step 2 – Appoint your Information Officer (IO)
OUR APPROACH: Define and register the Information Officer and Deputies.
WHY WE DO IT: The POPI Act requires the appointment of an Information Officer who is responsible for ensuring implementation of compliance to the provisions of the POPI Act, and in particular the Eight (8) Conditions for the lawful processing of PI.
Your information Officer must be formally registered at the Information Regulator as soon as the regulations on how to complete the process are available.
The IO’s role and responsibilities must be clearly defined in your business.
Step 3 – Assess the possible gaps in your Business with regards to compliance to the POPI Act
OUR APPROACH: Facilitate a GAP analysis.
WHY WE DO IT: A GAP analysis is the process where you evaluate your business’s
readiness for compliance to the POPI Act.
You need to conduct a Gap analysis in order to gain a valuable insight into business processes applied to collect, record, store, disseminate and destroy Personal Information (PI).
The current processes identified must then be measured against the POPI Act compliance requirements to identify your risk areas.
Step 4 – Identify all the Personal Information (PI) your business collects and process across its life cycle
OUR APPROACH: Do a PI audit for your business.
WHY WE DO IT: Know your Personal Information (PI) by identification of all the PI collected, processed and managed in your business. A proper audit is required in order to be able to list all sources and entities which can contain PI such as business documents, transactional documents, persuasive documents, data records, data bases, document management systems, networks, and Data Warehouse systems etc.
Step 5 – Identify all the Personal Information (PI) your business collects and process across its life cycle
OUR APPROACH: Identify and document the policies and procedures required for compliance to the Act.
WHY WE DO IT: This means that you, firstly must know WHICH policies and processes are required, and secondly what your status is with regards to available policies and procedures.
The results of your GAP analysis and PI Assessment can be used as input to define all the required policies and procedures.
Step 6 – Implement the required reasonable technical measures
OUR APPROACH: Facilitate implementation of Security and Technical Measures.
WHY WE DO IT: One of the key requirements of the Act is to ensure the implementation and maintenance of Security Safeguards and Technical Measures.
Technical measures are mostly focused on information security issues and the implementation of technology systems, access protocols, adequate storage and IT filing systems, cloud storage systems, document and records management systems, anti-virus software and firewalls, cyber security software, access rights and data security, physical security of servers and Information Technology systems etc.
Step 7 – Implement the required reasonable organisational measures
OUR APPROACH: Facilitate implementation of necessary Organisational Measures to insure Information Privacy.
WHY WE DO IT: Organisational measures are mostly focused on information privacy issues such as the use and governance of PI and greatly depend on human behaviour.
Organisational measures that you can implement include POPI awareness training plans, employee orientation workshops, Change Management strategies, privacy policies, consent management processes and documentation, appoint your Information Officer etc.
Step 8 – Implement the required reasonable organisational measures
OUR APPROACH: Provide Training – both online and on-site as required.
WHY WE DO IT: You are responsible to educate your employees with regards to compliance to the POPI Act. Actions to consider is to identify a training plan, identify a change management plan, evaluate the specific training requirements, schedule POPI Act workshops, make use of online training options etc.
The online training options as provided by ITS Support, is a good example of relevant courses which are convenient and economic.
Step 9 – Make these compliance practices part of “Business as Usual”
OUR APPROACH: Provide consultation and support as required.
WHY WE DO IT: Once you have done what is reasonably practical to comply, such as the implementation of our recommended compliance tasks and elements, it is important to maintain these elements by incorporating it in your day to day processes.
This means that compliance to The POPI Act must become part of “Business as Usual”.
Step 10 – Maintain your Compliance status
OUR APPROACH: Empower you with tools and provide consultation and support necessary to maintain compliance status.
WHY WE DO IT: Now that you have implemented all the compliance requirements it is equally important to also have measures in place to ensure the continuous maintenance of your compliance.
On completion of the implementation of the POPI Top plan the Information Officer will be responsible for the continuous maintenance of all the compliance actions, processes, policies and systems implemented during the project phase.
This continuous focus on the lawful processing of PI will ensure that:
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
