Safeguarding Data: Process (Operations)

Each business is different so when it comes to process, i.e. making PoPI part of your business operations, the advice and solutions will be different. In general though it is important that you:

• Review and update all your standard and special agreements. It would be best to seek legal counsel on this.
• Review and update all documented policies and procedures (e.g. the office manual) to ensure they comply with the PoPI requirements and re-educate staff accordingly. If documents do not exist it is time to document the processes that involve personal information.
• Review existing electronic processes and update them with steps that incorporate PoPI. This could include notification and/or “sign off” steps where staff are informed and held accountable as part of the process when they deal with personal information. Considering WorkPool processes you could include educational content or extra steps in your process to ensure staff deal with personal information in the appropriate way, or limit access to times when it is required.
• Get your hands dirty. We often deal with clients where they tell us how a process is supposed to work, only to find out that in practice it is not even close. It is time for you to tell people to “show me” and confirm first-hand how things work so that you can update and improve these processes.
• PoPI is big picture stuff. This means you must take a holistic approach to unify your systems, resources and processes so that they fall in line with the new PoPI legislation. It would be best to have central control over PoPI as opposed to managing it in each department. Processes go hand in hand with having a data map that represents how personal information fits into your organisation and a BNS to make sure this translates throughout the operations. The more you duplicate and share personal information, the bigger your risk.