POPI Impact Assessment and Gap Analysis

The POPI Act; Impact Assessment and Gap Analysis

Johan Eloff and FC Basson, Magna Group

17 May 2017

Have you started your privacy compliance journey with a POPI Gap Analysis (GAP) or Privacy Impact Assessment (PIA), sometimes called a POPI Readiness Assessment? This is probably a good way to start but organisations should be aware of the objective, contribution and limitations of these two methodologies. The two terms GAP and PIA are the most commonly used internationally.

The PIA as a methodology has wide application in the US and specifically the Department of Homeland Affairs for purposes of compliance. PIA has also found its application in the General Data Protection Regulation (GDPR) in the European Union where this regulation will replace Regulation 95/EU in May 2018.

The PIA is commonly used to determine the impact of risks, risk mitigation and remediation, where new products, services and system solutions are evaluated, and the alternative use for privacy data might affect existing privacy compliance. The PIA is therefore not necessarily an in-depth analysis tool and is often used for quick assessments, relying on existing compliance capabilities in an organisation. It might therefore not be a sufficient assessment tool in the South African context where we are starting from a clean sheet regarding privacy.

A GAP analysis is a more detailed investigation or assessment approach and similar to the common “As-Is / To-Be” methodology. Therefore, compared to a PIA, in a GAP analysis there is a stronger requirement to define the current state. To transition from current state to a required end state, including roadmaps and/or a strategy, the “As-Is” assessment should contain sufficient detail to ensure the reliability of the roadmaps and/or strategy.

Obtaining the required level of detail presents a unique challenge to the implementation initiative. In most projects reliance can be placed on functional subject matter experts, defining the current state (HR, Finance, Commercial, Sales, etc.) whilst with POPI this expertise does not exist. Therefore, organisations should give due consideration when selecting service providers to assisting them with this exercise. Keep in mind that privacy is about data. The applicable policies, standards, controls, processes and governance structures exist because of the requirement to process a specific set of data lawfully.

Magna focusses on the implications of the POPI Act on business disciplines and uses a pragmatic compliance model. This approach addresses the impact on policies, processes, regulations, risk reduction, access control, data custodianship, business controls, IT governance and organisational culture, values and behaviour – the hidden practicalities of the POPI Act.