#1: Waiting too long

12 months is little time to evaluate and adjust all business processes impacted by POPIA.  Starting too late will risk compliance and occupy resources at unplanned times.  Develop a strategy, assess where help is needed and deploy before help is in high demand. You need to instill culture change.

#2: Underestimating scope

POPIA is not only about website cookies and consent notices.  You need to maintain compliance with all 8 conditions in the act.

1. Accountability

2. Processing Limitations

3. Purpose Specification

4. Further Processing Limitation

5. Information Quality

6. Openness

7. Security Safeguards

8. Data Subject Participation

#3: Not recognising stakeholders

POPIA is not only an IT or a legal problem.  The Responsible Party* must recognise all Operators* throughout your business (including service providers and clients) that are receiving, creating, processing or disposing of data and data containers.

Also consider the Regulator’s actions.

#4: Lacking agility

Your business will need to make operational changes and be ready to deal with a privacy breach.  Lacking the agility to manage and consolidate change will prevent you from achieving strategic objectives for compliance. Leadership, strategy and agility start with the Board and CEO.

#5: Taking a manual approach

Taking a once-off off and manual approach might achieve the deadline but is unlikely to maintain compliance.  Avoid perpetually occupying valuable resources.  Allow technology to help you assess and maintain compliance by monitoring your data processing culture and activities.

Aguru Data Governance – dataBelt Brochure

#6: Not taking a risk-based approach

Without considering the implications of your compliance journey (and the impact that you will experience from your suppliers / clients performing their compliance journeys) your business will be impacted by unforeseen risks. Think litigation!