Turning the POPI Act into a benefit not a burden: the Case of Downes Murray International
Content provided by IACT Africa, specialist business consulting company with a focus on assisting organisations to add strategic value to IT Governance and IT Management.
Most of us would probably agree that the last thing most companies need, particularly when it comes to fundraising, is more red tape, complex rules and legal mumbo jumbo. When the news came out in late 2013 that President Jacob Zuma had just signed into law the POPI Act (the longest piece of legislation to bear his signature to date), many of our readers, like Downes Murray International (DMI) at first take, probably rolled their eyes, sighed and wondered ‘whatever next?’ But when the DMI management team considered the POPI Act more carefully, the picture changed very quickly.
"We realised that this new legislation could actually help and not hinder us in the work we do,” says Jenni McLeod, Director at DMI. “We saw that not only did the POPI Act bring clarity to a number of previously hazy issues, but in giving us and our clients a chance to address the privacy concerns of many of their local and international donors, compliance with the POPI Act could quickly be turned into a benefit not a burden.”
By demonstrating the ability to match international practice in data protection, DMI could win the respect and confidence of South African and global stakeholders. To achieve these benefits would, however, require some time, effort and a degree of financial commitment.
Getting the POPI wheels turning
During 2014, the DMI management team watched international developments and the growing concerns over the increasing number of data breaches (incidents where data privacy measures were unsuccessful and were becoming regular headline news). After careful consideration DMI turned to one of its long term trusted advisors for their support.
“We have worked closely with Grant Thornton over many years and knew we could rely on them for good advice,” said McLeod. After a number of initial discussions to understand what would be involved, an agreement was reached in early 2015 to formalise a project approach to preparing for compliance with the POPI Act.
“One of the first things we really got right was to involve the whole management team at DMI, and not to treat this just as an IT or legal issue,” she said. “The early recognition of the importance of broad management buy-in was demonstrated by not only having the various operational areas of the business involved in the initial project kick-off, but by ensuring that the various actions required were owned by the relevant management team members throughout the project.”
Making POPI compliance a reality
With the guidance provided by specialist consultants from Grant Thornton, the DMI project team, headed by Jared Collison, (accountant), set to work. A formal project plan was developed, which included carrying out a number of assessments.
“The POPI project actually worked to our advantage from the outset, as the scope of work made us focus on a number of areas that needed our attention. These included a comprehensive review of risks associated with managing all types of personal information,” he said.
“The Grant Thornton team’s knowledge, skills and experience gained on previous POPI compliance projects paid off handsomely for us, as we were guided every step of the way, speeding up the whole project and reducing the risks associated if we had tried a D-I-Y approach.”
“We knew DMI had the right approach,” says Michiel Jonker, Director: IT advisory of Grant Thornton Johannesburg, “when they understood that the project would help to position DMI to reap the benefits of their investment in terms of their market leadership, not just legislative compliance. We sometimes have to dissuade our clients from taking their risk profile beyond the acceptable by trying to ignore aspects of legislative compliance and good governance, rather embracing change, as happened at DMI”.
“It was heartening to find when it came to the POPI awareness training sessions, that the level of the broader DMI team buy-in was as strong as that of their management colleagues,” adds Peter Tobin, lead Grant Thornton consultant on the project.
The road ahead
Whilst all involved agree there’s work that remains to be done, as the impact of changes made are fully felt, the progress to date has met the expectations set at the outset of the project. “We are confident we have positioned ourselves to not only comply internally, but are much better informed to discuss POPI issues with all our stakeholders,” says McLeod.
Acknowledgement: this is an edited version of the article “Turning the POPI Act into a benefit not a burden: the Case of Downes Murray International,” by Dr Peter Tobin which appeared in Downes Murray International’s Fundraising Forum, Issue 103 December 2015, on www.dmi.co.za