The following steps could constitute a guideline for the POPIA implementation by data management professionals with an example of a step-sequence in outlining your bespoke compliance strategy keeping in mind the unique organisational approach. A cookie cutter approach is not advisable as all organisational have specific inherit risks that need to be incorporated into this process.
Table: Guideline and Step-Process to Implementation
Description and Suggestion for Data Management Teams
· Raise awareness of POPIA with all the data management professionals and across the organisation
· This will ensure that all staff and professionals know about the Act, and are part of the compliance process towards a POPIA risk-adjusted mindset
· This also looks at organisational and staff training
· Change the rules governing data requests and enrichment to comply with POPIA.
· This step will ensure that all personal information extraction and manipulation is done in compliance with POPIA.
· Implement ISO 27001 baseline security controls (certification costs are a bit burdensome on smaller businesses. This should only be considered if the certification justifies the spend. This certification will benefit medium to larger organisations).
· This measure will establish the baseline information security controls required to protect personal information
· It will also help your organisation in meeting some of the GDPR requirements if your business deals with an EU data subjects.
· Adopt a POPIA compliance culture.
· This will change the attitude of all data management professionals towards the POPI Act. It will also emphasise the need for urgency to comply with the POPI Act.
· Align IT compliance and Risk policies, processes and procedures to POPIA.
· This measure will change all the internal operating guides, gearing them up towards the compliance
· Take accountability even for personal data residing with external service providers.
· This will ensure that all personal information owned by the organisation whether residing internally or externally is treated in a similar manner.
· The responsible party is still held responsible for data held or processed by third-parties and operators/processors
· Conduct POPIA compliance assessment before procuring commercial off the shelf software.
· This measure will ensure that all IT system procurement is compliant with the requirements of POPIA.
· Build POPIA compliance into the key performance areas (KPA) and key performance indicators (KPI) contracts of all data management professionals and data touchpoints.
· This step will make sure that all data management professionals and staff prioritised POPIA compliance in their day-to-day activities
· Finalise all requisite policies, processes and procedures to enable the POPIA within the organisation.
· This measure will put in place all requisite governance practices to enable POPIA compliance to be achieved within the organisation.
Source: (Agbor T, et al., 2018)