We hear it all the time, “you have to have POPIA policies!”, but what exactly does this mean? A number of companies that I’ve spoken to take policies as being the be-all-and-end-all of POPIA (though I suppose that’s a step up from it being all about consent). Yes, you need to have policies, but it’s not prescribed as a “POPIA Policy” in the act, and having a document that is named as such does not make you compliant. My view is that the relationship between POPIA, policies and your business is one of “frenemies”: friends or enemies depending on the situation. Policies must be in place for any POPIA journey, but they must be implemented correctly lest they cause more harm than good! Here are some key pointers around policies that you should be aware of.
There is no one-size-fits-all
You cannot just take someone else’s policies and apply them to your business, nor can you just implement a template and hope for the best. Every business is different, and you need to carefully review policies to make sure they are acceptable to you and that you can actually comply with them. Copying and pasting from another business, even in the same industry, would not reflect the culture of your organisation, nor would it reflect your risk profile.
Second to this, is that compliance is not necessarily a single policy. POPIA is an ecosystem and a way of doing business responsibly. It ties in to a number of policies in the business, such as IT policies, Acceptable Usage Policies (AUPs), data protection policies, privacy policies, and your PAIA manual (where applicable at this stage). In short, your policies are the “on paper” documents that show you are adhering to the 8 conditions of POPIA. It’s important that you read through each of them and review accordingly.
Policies must be kept up to date
You should review your policies on a yearly basis as to whether they’re still valid. I have worked with some very successful policy rollouts where the policies are as dynamic as the work environment. Cultures change, risk profiles change, and technology changes, all of which have impacts on your policies and wording. Sometimes new lines of business necessitate a change of policy, such as complying with a security requirement from a client or implementing a Zero-Trust framework, in other cases it may simply be that technology has simply moved on. I’ve had to edit a number of policies across different companies recently that refer to Personal Digital Assistants, 1.44MB floppy disks, and even data on microfilm, none of which are in place in today’s business (nor would some of your younger employees even know what they are).
An additional note to this is that you need to ensure that your policies are accessible to employees. They govern what people should and shouldn’t do, so accessibility and understanding is important for staff. I’ve seen companies using different methods of doing so, from rolling out Enterprise Risk systems, to simple solutions such as using a free WordPress site internally. What you don’t want is policies that are locked away in a dungeon somewhere, never to be brought out until there’s a disciplinary issue. In one case, I worked with a company that took almost four weeks to send me a policy because they had to wait for a CD to be taken out of a storage facility and couriered to them! This is not ideal…
Your operations must match your policies
Lastly, and possibly most importantly, your operations need to match what your policies say. It helps nothing to say how responsible you are with data on paper, but then to not follow your own rules. I’d hazard that the regulator would also frown upon false claims from your company documentation! You need to be sure that your policy responsibilities are actually achievable within the business, and you need to ensure that you follow them. Accurate reflections in the business makes for a robust compliance programme, and accountability to policies and procedures is vital to achieving your goals. As I’ve said previously, one of the biggest risks in not having policies that “stick” is when the executive team bypasses them, creating a cascade effect down the chain and effectively negating your policies in the long run.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings available, book time directly with Ross using the calendar below.