The POPI Act and King IV
Content provided by IACT Africa, specialist business consulting company with a focus on assisting organisations to add strategic value to IT Governance and IT Management.
Good Corporate Governance is something that should resonate with the SME audience, as “Corporate governance refers to the structures and processes for the direction and control of companies. Corporate Governance (CG) concerns the relationships among the management, board of directors, controlling shareholders, minority shareholders and other stakeholders. Good corporate governance contributes to sustainable economic development by enhancing the performance of companies and increasing their access to outside capital” (1) In essence good CG is powerful medicine.
In early November 2016 while many South African executives and small business owners were pre-occupied with the looming threat of a ratings downgrade and the continuing uncertainty over the fate of the Minister of Finance in South Africa, the latest version of the local code on Corporate Governance (CG) saw the demise of King IIITM as King IVTM was launched. The event held in Sandton was well supported but sadly given the high attendance fee was barely accessible to many Small and Medium Enterprises that the new CG code is intended to address. In case you missed the launch or had other priorities for your hard earned revenue, here are some tips about CG and POPI.
The foundation of success lies in assigning responsibilities for activities that will contribute to effective governance. It is no different when establishing governance mechanisms for laws such as the Protection of Personal Information (POPI) and the Promotion of Access to Information (PAIA) Acts. The first step in preparing for compliance with these Acts is to identify the elements of governance that will be required to prepare for and maintain an appropriate level of compliance with the Acts. In principle, it is best to start a POPI Compliance Preparation Project (CPP) which incorporates PAIA. The project should aim to understand your current level of readiness for compliance with the Acts, identify the relevant stakeholders, assign responsibilities for carrying out compliance preparation tasks and ensure that these are completed within an agreed timeframe.
In many larger businesses there is a Board of Directors, Management Executive Committee and functional or departmental managers who make up the main layers of senior management who are involved in good governance practices. For the small or medium business the reality is that there is often only one level of management: the small business owner. Whatever your size of business there should a formal, written commitment to comply with the POPI Act and PAIA. SME owners should appoint a project manager (potentially themselves) who will be responsible for identifying project team members as well as to allocate project tasks to them as part of their compliance project.
During the CPP, roles and responsibilities for managing the processes for maintaining compliance once the project has been completed should be defined. There is an essential role required by both the POPI and PAIA Acts, namely the Information Officer. By default, this is the designated head of an organisation, typically the CEO or business owner. The POPI and PAIA Acts make provision for the appointment of Deputy Information Officers to whom the Information Officer can delegate the day to day tasks of managing compliance activities. This individual’s role may even be carried out by an external service provider, already a common practice in smaller financial services businesses.
It is useful to have a comprehensive, structured assessment of your governance. This of course can be applied to other aspects of your SME business, not just POPI/PAIA. In our work with our clients we have identified as many as 30 POPI/PAIA governance elements for consideration.
In summary, when an integrated approach is used to address the role of your business and the way you treat stakeholders, whichever King sits on the throne, good corporate citizenship and POPI Act compliance will all help to make your business stronger in these uncertain time.
P.S. Don’t forget to follow @sapopitalk on Twitter. You will be kept up to date on all things POPI. With the Information Regulator having taken up her post on 1 December 2016, now is a really good time to keep in touch with developments.
Practical tip: for a free download of King IVTM visit www.iodsa.co.za
Acknowledgement: This article authored by Dr Peter Tobin has previously appeared in the January 2017 edition of My Office Magazine, Vol 101, Issue 1.
(1)Definition courtesy of http://southafrica.smetoolkit.org/sa/en/content/en/6739/Corporate-Governance-Definition)