Engagement overview
The POPI bill was promulgated in December 2013, with the Act stipulating eight conditions that need to be met when obtaining and dealing with personal information from data subjects; with a key element of the Act being a person’s “constitutional right to privacy, by safeguarding personal information when processed by a responsible party”.
Prior to BSG partnering with the client, they had been struggling for two years to implement POPI and define the correct solution for their organisation. BSG was able to understand the requirements of the Act in relation to the client environment and ensure an appropriate implementation.
With POPI compliance impacting the whole organisation, BSG developed a tailored risk management strategy and programme that specifically reflected compliance from the perspective of the business’ people, processes, policies and systems – while aligning to the eight POPI conditions.
BSG undertook in-depth analysis to determine feasible solutions. Data-flow assessments, split across the POPI themes, formed the basis of the analysis to identify the gaps. This required interaction with business owners, system teams, information security, procurement, compliance and legal. To close the identified gaps BSG also worked closely with the client’s developers and analysts.
BSG recommended using existing systems and leveraging existing functionalities to adhere to POPI, as the least costly solution. By using a risk-based methodology, BSG could identify areas of non-compliance and associated controls to be implemented. Of the 144 systems in the client environment, 37 systems contained POPI data. BSG used the risk-based approach to prioritise 10 identified POPI-relevant critical systems to implement compliance.
The client chief risk officer did not want to solely rely on system enhancements for compliance and stressed the importance of people playing a key role in information security. Working with multiple systems can be challenging due to the many entry and exit data points and knowing who is sharing information. Significant effort was required from BSG to understand the data flows and enable challenges to be managed. BSG not only supported the implementation but also assisted with closing out all outstanding analysis gaps and providing advice on POPI compliance at group level.
Making a difference
A key stakeholder in the client environment commended BSG on the clear direction provided on benefits, how to manage constraints and the focus that BSG brought to bear on a process that had been challenging for the client.
Banks in particular face a challenge in understanding what information should be deemed personal, requiring definitions thereof. They also have such vast quantities of information that they don’t have an accurate perspective of what data is entering or exiting the organisation and if a data breach had to occur, they would not know the source thereof. Thus data flow is crucial in understanding how data enters and exits an organisation and BSG was instrumental in ensuring the client understood this.
Another critical element of the delivery was not sacrificing compliance for business value e.g. how to correctly engage with customers through marketing consent. POPI compliance will enable the client to reassure customers that their personal information is safe, positioning the client as a responsible citizen, while driving brand trust.