The corporate world is currently debating the Protection of Personal
Information Bill (POPI) which will soon be promulgated. Much of this
debate centres on how onerous the minimum requirements for compliance
will be, how long organisations will be given to comply and what the
cost implications are likely to be.
Many companies have chosen to take a ‘wait and see’ approach. “Our
experience has shown that those companies that see regulatory changes
as an opportunity for increasing business value adopt a more positive,
proactive approach and also spend considerably less in achieving
compliance over the long term,” comments Dean Chivers,
Director Tax & Legal, at Deloitte. “They are able to link compliance
requirements to the entire value chain of the business so that each
functional area buys into its importance, realises the value that can
be delivered to the business and collectively bring about change to
realise this value.”
Chivers cautions that companies should implement POPI compliance as
prudently as possible. “Be realistic – your organisation will not be
completely compliant by the time the Act is promulgated in September.
POPI is not exclusively a IT or legal or a process or a security
issue, it’s a combination of all of these. Create the framework within
which POPI will be managed within your organisation, and then build
awareness amongst staff around both POPI and your entities POPI
compliance framework. This will start to drive POPI issues into your
framework, thereby facilitating a proactive, self regulating model.
”Kris Budnik, Director of Risk Advisory, at Deloitte, recommends that
a response strategy be established, with the responsible person being
one who understands what the law requires.
“Decide on your corporate ethics policy and define and communicate
it, teaching your organisation to look out for problems,” says Budnik.
“Take the approach that you have done the best you possibly could
have. When a problem arises, react quickly and correctly to deal with
it and close the loophole. Look for triggers that indicate your
processes are not working properly.
” According to Chivers, the POPI Bill will be the catalyst for
companies to add value while achieving compliance. They should engage
with their customers in the process and use it as an opportunity to
build customer trust in the company by highlighting the company’s
efforts to treat customer’s personal information with respect and
confidentiality.
The following are just some of many opportunities:
-There is tremendous advantage to be gained from proactively engaging
customers ahead of promulgation, for example:
-Positive customer approvals are more likely to be obtained prior to
promulgation and prior to the market being flooded with requests;
-Valuable insights can be obtained from a company’s existing customer
database now, ahead of customer requests for data deletion;
-Customers will become aware of the fact that POPI will result in the
protection of their personal information, something most people will
appreciate. Company’s who lead the market in becoming POPI compliant
will gain customer respect and loyalty;
POPI can also deliver many potential positives within a company, to name a few:
-Technology gets the budget go-ahead for middleware and data
warehouses, new SAP modules, data security upgrades, etc, which add
value when linked to the overall business strategy
-Data analysis of personal information for purposes of POPI compliance
can yield significant useful information around customers and markets
-Provides positive motivation to interface with customers, alumni,
potential employees, personal networks
-Employee files get updated and remain up-to-date
-Contracts are reviewed and updated and may even be better than before
Budnik recommends that the initial step should be a quick start
process prior to promulgation, followed by detailed design and
implementation of value-adding initiatives. This will allow the
company to gain momentum and build a platform for future
opportunities. Firstly, understand the extent of POPI impact on
customer and channel strategy, brand positioning and employee
proposition; determine possible impacts on people, processes,
technology and systems; and define key data requirements for business
sustainability.
Thereafter, look at the following opportunities:
-Identify value-adds beyond minimum compliance
-Design customer interactions to increase market share
-Realign processes for a more customer focused organisation
-Link to other initiatives such as process streamlining, productivity
improvement and employee communication
-Select technology to support more than just data integration, e.g.
non-intrusive technology options ranging from cloud technology, to
separate software and simple upgrades
-Build the customer focused organisation by digging deeper into
existing customer data
-Use an approach that first establishes the organisational needs and
gaps before moving to an ‘all ends at once’ implementation
-Adopt a ‘build to last’ approach for ongoing organisational sustainability
In summary, organisations can gain measurable business performance
improvements by approaching the Protection of Personal Information
Bill as a strategic opportunity rather than an onerous compliance
cost. Realising this potential value from the Bill, however, requires
a shift in organisational mindset.
“Don’t be limited or restricted by your existing database,” says
Chivers. “Use it as a contact list and first cut segmentation, design
a meaningful database for future strategy and populate it by means of
an automated permission campaign; don’t be restricted to a single tool
or methodology – select those which are most appropriate for your
needs; ensure your approach is strategic. Include change management in
your implementation; don’t be purely focused on data analytics, ensure
that your approach is aligned to your business priorities as well as
people, process, technology and system enablers.
” Chivers goes on to say “Every article or advertisement I have ever
read on POPI compliance states that POPI compliance needs to start
with an analysis of data. This is complex, expensive, takes time and
not necessarily effective. Understand your IT, legal, process and
security options before jumping on the analysis bandwagon. Ask
yourself whether an analysis of data gets you closer to compliance.
POPI compliance will require a level of data analysis at some point in
the process, but rarely at the outset. Analyse the options and
consider the best process for your company. There are a number of
options, so give yourself the best chance of adopting the most
appropriate one for your company.”
No comments:
Post a Comment