I’ve posted before about POPIA being more than software or a set of policies, but it occurs to me that I need to get a little more detailed as to what exactly you need to consider when bringing in a consulting firm / software house / cybersecurity provider to handle your compliance. I’m sure this won’t be the last time I’m posting something of this nature, as I am seeing more and more companies offering complete POPIA solutions that seem to be nothing more than extensive marketing budgets and equally extensive assumptions as to the law and its practical implications.
There are a number of us out there providing POPIA solutions, and believe it or not, many of us are pretty good friends too – either by membership to groups like the IAPP (International Association of Privacy Professionals), partnerships with each other, speaking at conferences, or referring each other for catering to different industry verticals and company sizes. Compliance, to us, is a passion and not a grudge purchase. We WANT companies to succeed and we WANT companies to comply.
We are also here to protect you from unsubstantiated claims and fear mongering.
So… let’s get into what you should be looking at from a POPIA service provider, and why it is important.
First, let’s tackle FUD
You may not have heard the term before, but FUD seems to be a cornerstone of marketing POPIA compliance solutions. It stands for Fear, Uncertainty, and Doubt. FUD is when you see marketing claiming that you are going to be hit with a R10m fine and 10 years imprisonment unless you use their services. It’s simply not sexy or cutting edge marketing to tell you that the fines work on a sliding scale, case by case, and that criminal prosecution is subject to various conditions in the act; not unlike the criminal charges listed in numerous other acts that have been in place for decades. Fear sells, but it’s got nothing on hope. I’m here to tell you that yes, POPIA is a lot of work, but it’s not as scary as it’s made out to be. Tackle it one step at a time, and you’ll be just fine.
There isn’t a checklist, but there is a guideline
Following on from FUD, I’m seeing a number of providers coming out of the woodwork claiming that if you purchase their software, install their hardware, or pay their subscription, you’ll be POPIA compliant. This is simply, NOT TRUE.
There are a number of components that tie into POPIA compliance. Let’s start with the law itself. The act has 8 conditions that you need to prove compliance to in the event of an issue or that someone complains to the regulator about you. These 8 conditions are as follows:
- Processing Limitation
- Purpose Specification
- Further Processing Limitation
- Information Quality
- Security Safeguards
- Subject Participation
I won’t go through each condition here as I’ve described them in another article, but suffice to say that compliance involves all of them, not some of them. Each applies differently to your business, and you can see them as a spider web of sorts. Each strand is connected, and as a whole you have a safety net. Lose a strand, and your web weakens significantly.
What does it take to cover the conditions?
This is where you get flexibility on how you comply with the law. You can make your own combinations of your spider web, but you need to cover all the strands. In my programmes, I break down compliance into the following categories, each with their own tasks and outcomes. These are all things that you need to consider for complying with POPIA (and GDPR).
- Information Officer duties, appointment, and responsibilities
- Internal and external policies and documents
- Records of processing activities
- Physical security and cyber-security
- Systems, storage, and data flows
- Incident response and rights of individuals
- Data clean-ups and retention periods
- Contracts for suppliers, employees, subcontractors, and clients
- Ongoing assessments
- Risk management and gap analysis
- Training and awareness
Now it’s fine and dandy that I say these things to you, but what are other places saying? Well, let’s glance over at the “Big 4” consulting houses; PwC has a particularly nice breakdown of what should be included in a privacy compliance programme. Presenting to the IIA around global trends in privacy, PwC lists the following high level requirements for an effective programme:
- Strategy and governance
- Policy management
- Cross-border data transfer management
- Data lifecycle management
- Individual rights processing
- Privacy by design
- Information security
- Incident management
- Data processor accountability
- Training and awareness
As you can see, this is a lot more than just a software package, or an anti-virus solution, or a firewall, or a pack of policies. There is no quick fix for privacy compliance, and any service provider should be able to speak to the above points.
How do you evaluate a service provider?
There are a few ways I would evaluate a service provider, and it’s not necessarily a jump to “how long have they been in business”. For example, there are a number of excellent software providers that support compliance that are pretty new into the game. But, therein lies the first question: are they claiming that they are a silver bullet, or are they going to require you to do some work? If the answer is that of the silver bullet, I’d start questioning. Much of POPIA compliance will still require “homework” from you and your team members that are familiar with the operations of the business.
That said, how long have they been in business? How long have they been dealing with POPIA? POPIA has been around since 2013, yet it was only made effective last year (2020). Check how much content they have shared around compliance or what offerings they’ve had in the market prior to this. Folks are going to be entering the market all the time, but do they have the experience to advise you? Ask what their credentials are. Do they have any staff members that have obtained certifications such as CIPP (Certified Information Privacy Professional)? Do they have anyone who is a member of a professional body such as the IAPP? Privacy legislation is incredibly complex and it is simply not something you are going to be well versed in in three months.
- What is the name of your Information Officer?
- How do I get access to my Personal Information?
- Do you have a record of processing activities?
If they can’t tell you how they are complying, I feel they are falling dramatically short of being able to advise you.
Do they cover the conditions of POPIA? The conditions are non-negotiable. If they don’t mention them, I’d take a skeptical eye to it. Those 8 conditions are the law. You need to hit all of them, not some of them. Cyber security solutions, firewalls, software scanners, they all fall under just one of the conditions: Security Safeguards. The rest still need to be addressed. Ask the provider how they do so.
Lastly, how much FUD is in use? The more scary the claims are around going to jail or paying millions in fines, the more suspicious I would be. You are not going straight to jail, we have a robust court system. You are not getting a R10-million fine straight off the bat, you are going to be evaluated on a case-by-case basis of how you’ve addressed the conditions and what has happened. FUD is great to grab your attention, but it won’t solve your problem.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.