The last few weeks has seen the privacy industry heating up here in SA, what with the introduction of POPIA. In these weeks, I’ve seen a lot of advice dispensed by non-specialists in the privacy field; some of it is valuable, but a lot of it is dangerous. This week’s post is a listing of the top 10 myths I see in advisory and questions from clients and workshop attendees.
1. When you’re done, you’re done
This is probably the most frequently encountered myth. Your privacy programme is never “done”. Sure, you’ll implement a lot of changes that will be checked off, but you’ll continue your compliance long afterwards. Think of it in terms of building a piece of software: the initial work is heavy lifting to get the first release out, but then you have to continue patching and developing as feature requests come in or bugs are discovered. It’s much the same with your privacy programme. It’s heavy lifting up front, and then maintenance going forward.
2. You can comply with a policy pack
I’ve seen many document packs popping up over the web in the last couple of months, claiming that if you purchase a bundle of 5 or 10 or 15 policies you’ll be compliant. This is not the case. Policies and procedures are only one part of a much broader programme and culture that needs to be implemented. Yes, you need them, but no, they’re not the be-all-and-end-all of your journey. We’ll unpack this even further down below in number 5.
3. You need consent for everything
Consent is one of the means of processing legally, and you need to carefully consider whether you should be using it. By all means, have it in place for prospective clients, but when you engage with them you would be much wiser to use a contract as opposed to consent. Consent implies that someone can revoke their consent, which means you have to stop working. In terms of delivery of a service, this can put you up the creek. Rather rely on contractual obligations and be clear as to your purposes and retention periods.
4. You can hold on to data forever
Speaking of retention, you have to set this up. You can no longer keep data indefinitely. If data has fulfilled its purpose, and you’re no longer in a contractual (or similar) relationship with the person or company who owns the data, you have to give it up or de-identify it (with NO chance of re-identifying – easier said than done). You can keep information after a contract concludes, such as a backup or similar, but you have to specify your purpose for doing so and you have to define when you will actually finalise the data cycle (and destroy data).
5. There is a one-size-fits-all solution
As mentioned in point 2, templates cannot save the day. They do help, and they are a great departure point for your programme if you have nothing in place, but they must be customised to your organisation. Much like the templates need to be customised, so too do your procedures. I am yet to do work for two companies that have identical procedures. Even within companies, different teams in different regions operate differently, therefore it stands to reason that your programme would be as unique as you are.
6. There’s no benefit other than compliance
Seeing compliance as a grudge purchase and not a positive company culture is a mistake. There are so many benefits to running a programme and having your processes and flows mapped out. You are seen as trustworthy – something I have seen a number of companies market very effectively, and you also develop a playbook whereby new employees get the rundown of procedures and processes from a defined source, and not a figure-it-out-as-you-go kind of approach. You’ll save time on productivity in the long run and gain new clients too, I’m certain of it.
7. SaaS/Software providers are not responsible for their clients
This was a gem that I heard in the last week, whereby a software company categorically stated that they would not implement new features to assist their clients in “frivolous” data subject access requests, and that it was the clients responsibility alone for responding. This is so far from the truth it’s scary. While they are not obliged to implement new features, they are obliged to assist the responsible party (the client) when it comes to an access request. They may have saved themselves some development time here, but I’m pretty sure they have got a client that is now shopping around after their response.
8. You need a dedicated team
Let’s not kid around, the initial workload for a privacy programme is huge. However, it does not need to be performed by a dedicated team or individual. Any South African entity will have an Information Officer (by default it is the head of the entity), and that officer may delegate aspects of the programme. I recommend that drawing up of procedures is not done by the information officer, but by the teams that deal with the process every day. Design at the coalface for a true representation, design at the top level for something aspirational and totally off-key.
9. A cover letter or email can be used in place of an agreement
While it is a step in the right direction, sending a cover letter or email that says “please remove this after you’ve completed xyz” is not considered watertight nor effective when it comes to managing the Responsible Party / Operator relationship. It falls into the same lines as not having staff sign for policies – you can have the best wording in the world, but if someone doesn’t agree to it, you don’t have a leg to stand on. You need to look at putting in a proper Data Processing Agreement that governs how you and the companies you work with deal with data.
10. It’s expensive
Sure, doing EVERYTHING possible to protect data is expensive, but privacy regulation in general takes the approach of doing “what is reasonably practicable” for you. This means that you do get to use your discretion in your programme. Taking a risk based approach and hitting the highest impact items first can reduce costs and risks significantly. You don’t have to get a team of attorneys in to help you with compliance, there are many ways to get to the end destination.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.