What can we learn from the GDPR?
The European Union Privacy Law, the General Data Protection Regulations (GDPR) went into effect on 25th May 2018. Even if you don't follow the GDPR or POPIA, and aren't really interested in Privacy Laws, you will have been affected. Users of Facebook, LinkedIn, any other social media platform or any online tool will have received notification from them that their Privacy Policies had been changed, and you need to acknowledge that you understand the new terms and conditions. Other than this immediate requirement, we noticed a few other things.
Time taken to get ready for GDPR, (and POPIA)
Up until the very last day, we received notification that organisations had now implemented new policies, procedures and processes in accordance to GDPR. Why is this significant? Many of these organisations were very large, very well known entities, with massive infrastructure and IT budgets. If these organisations left it to the last minute, and then had to scramble to meet the deadlines, there is a strong chance you'll be in the same position. For many of them, it wasn't so much that they left it to the last mninute, but rather that they underestimated the amount of effort required. With large infrastructure comes large, complex systems, with many touch-points for Personal Information. The key learning here is that it will take longer than you anticipate, and will probably need more resources, especially in time, manpower and money, than you expected. In the interesting Crowd Research report, https://crowdresearchpartners.com/portfolio/gdpr-compliance-report/ over half the organisations researched wouldn't be ready by the deadline.
Don't understimate the resource requirements
The report cited the following key reasons for not being ready in time:
- lack of expert staff (43%),
- lack of budget (40%),
- limited understanding of GDPR regulations (31%).
It is expected that South African organisations will will follow a similar trend. In our discussions with all sizes of organisations, we are hearing similar comments. Even when expert staff exist, they are spread thinly and are not available to devote enough time to the POPIA project. POPIA isn't purely about the law, and experts need to be gathered from various disciplines, including ICT, Records Management, Information Security, Legal, Marketing, HR and change management, and the Business functions. All of these disciplines must provide input if the implementation is to be comprehensive and successful.
Don't underestimate the complexity of POPIA
In another fascinating article published by Bloomberg in Information Management (online) we noted the following: https://www.information-management.com/articles/blocking-500-million-users-easier-than-complying-with-the-general-data-protection-regulation?utm_campaign=security%20briefing-may%2029%202018&utm_medium=email&utm_source=newsletter&eid=f90702d8557f7779c24c2e8aeb5bfd88
For some of America’s biggest newspapers and online services, it’s easier to block half a billion people from accessing your product than comply with Europe’s new General Data Protection Regulation.
The Los Angeles Times, the Chicago Tribune, and The New York Daily News are just some telling visitors that, "Unfortunately, our website is currently unavailable in most European countries."
If one considers the size of some of those publications, then this has to tell us that the tentacles of privacy are very far reaching. Almost all organisations have websites, and if the website is read in Europe, and especially if it is a subscription-based site with users from all around the world, the cost of compliance may be very high. For these newspapers, the risk of not complying is considered so high, that the service is no longer available, even if only temporarily.
GDPR compliance is a great starting point for South African organisations who are embarking on the POPI Act journey
Complying with the GDPR is not a simple task, and neither will be complying with the Protection of Personal Information Act (POPIA). But sadly it is unavoidable and can't be ignored. Privacy is a serious issue and needs to be taken seriously. Until the South African Regulations are finalised and in force, local companies are encouraged to look to the GDPR as guidance. Whilst there are some clear differences in requirements, the principles are the similar.
The earlier you start, the easier it will be
Whilst this sounds like a trite statement, the reality is that those who start preparing now, will have the ability to implement relatively easily, and without the stress and mistakes that come with the last minute rush.
You don't have to do it alone, or reinvent the wheel
There are some very skilled organisations out there who can assist in all aspects of implementing POPIA. We have gathered a team of specialists who can assist, and have compiled a set of instruments that will speed up the process, without you needing to start form scratch, or re-inventing the wheel. Contact us to find out how we can fast-track your process and reduce the costs and time taken to be compliant, at the same time as possibly improving business processes.