Every organisation should have a privacy strategy. It should be unique and specific to your business and meet your business' requirements. There is no onesizefitsall approach when it comes to a privacy strategy.
These are some of the privacy strategies we have encountered amongst some of our clients:
- Absolute compliance
- Minimum compliance
- Least money for the biggest impact
- Keep the CEO out of jail
- No official strategy
We are not advocating any one in this article. We are simply sharing with you what we have observed.
When client's say they want "absolute compliance" with POPI, it is important for us to understand their approach to privacy and their privacy strategy. It all depends on what they mean by the term "compliance1"? Do they follow a:
- compliance with law approach?
- risk based approach?
- best practice approach? Or
- a combination of the three.
It can be argued that there is no such thing as "absolute compliance". For example it will be very difficult for larger companies to avoid privacy breaches (many companies loose several laptops a year as cars are hijacked, houses broken into etc). When considering this approach, there is an obligation to comply with the legislative requirements of POPI, but also i) for the company to comply with the Regulators rulings (the Regulator does not yet exist and ii) for its operational staff responsible for POPI to comply with what is expected of them – for example to make the necessary product disclosures required by POPI. It is also important that "compliance" take place on a daily basis.
If such a state is achievable, it is still necessary to understand the legislative requirements and the impact of POPI on your business. This in turn requires i) that you know what is happening with the personal information that you process and ii) that you have the expertise to deliver "minimum compliance".
Least money for the biggest impact
If this approach is possible, it is still necessary here for you to know "the big picture": to know what your definition of "compliance" is and know what you would have to comply with in the ideal compliance scenario. Only then might you be able to work out what you need to address at a minimum.
Keep the CEO out of jail
Many see this as a pragmatic "fly under the radar approach" taking into account things like i) the offences and penalties under POPI, ii) when the Regulator will be in a position to start issuing rulings (in many foreign jurisdictions it took the Regulator several years to 'have teeth') and iii) your understanding of the 'big picture' when it comes to POPI.
This approach, like all the others needs to be carefully assessed.
Article printed from Michalsons: http://www.michalsons.co.za
URL to article: http://www.michalsons.co.za/whatisyourprivacystrategy/ 11221
URLs in this post:
1 what they mean by the term "compliance: http://www.michalsons.co.za/whatiscompliancewhichapproach/ 11215
2 Image: http://www.addtoany.com/share_save
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.