Privacy by Design – A tailor-made approach to compliance

14 October 2020

Implementing organisation-wide change is rarely a cookie-cutter exercise, or a one size fits all garment.  Even more so when change is modelled around data protection and compliance.

At Kriel & Co, we’ve developed our change methodology to take into account the organisation’s goals and desired outcomes supported by the expertise needed to best implement change.

Let’s narrow it down to the real risks associated with cybercrime that organisations face and the focus on the protection of personal information. Within this context, Privacy by Design is more valuable than ever. A recent Deloitte report says that “Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices.”

Our Privacy by Design approach is broken down into three phases to allow for a systematic and calculated implementation of change – both on a human and digital level. We feel strongly about not overwhelming an organisation and its staff by the change process, but to rather equip and empower people to believe and support the objectives for change to be truly sustainable.

Phase 1: Assessment

During the assessment phase, the focus is on being observational. No material change to the organisation’s way of working is implemented yet. We follow both a qualitative and quantitative approach to learn as much as we can about the organisation and its processes.

Qualitatively we value conversations and conduct interviews with staff, the board of directors, committees and team managers.

Quantitatively we generally use a survey approach to gather information across the entire organisation. This approach enables us to see how teams and people are working and identify compliance-related actions and other items that we aim to investigate. We also identify the legal or compliance-related gaps with the POPIA simultaneously, so that legal and consulting time is therefore streamlined into a single analysis.

The desired outcome of this phase is to understand where the gaps are in comparison to the organisation’s goals.

Phase 2: Proof of concept or pilot phase

One of the successful components as part of the framework for managing change is that we don’t believe in barging in and implementing all the desired outcomes of change all at once. The analysis of data that we have received in the assessment phase allows us to take the recommendations forward into a proof of concept, or also described as a pilot or trial.

During this phase, we are able to set up a test environment inclusive of a select number of staff members that will be impacted by the change. The test environment allows us to design the change with the teams which allows them to be an intrinsic part of the change birth process and understand the ‘why’ determined during phase one.

This part of the process requires teams, managers and employees to assume accountability to 'become part of the change' from the onset. When the change is designed collaboratively and inclusively with staff from the get-go, change in phase three becomes much easier to implement as these employees then become the 'change champions' to other staff members and teams.

On the legal compliance side of things, this phase includes policy-related work. The new policy and compliance documents are drafted, the legal gaps are addressed, and policy frameworks are implemented.

Phase 3: Broader change

More often than not, the broader change translates into lists of digital behaviours that will eventually be phased out. During the first two phases the organisation - with the help of the change management team - we would have determined best practices and guidelines in working with data to reach the desired outcomes.

Staff members now have to navigate various policy changes such as an updated privacy or cyber policy as part of the above digital behaviours. This is where we need to be mindful of updated permissions in terms of sharing, exporting, storing or collaborating with the organisation’s data, which would have been pre-set or built into the system framework in phase two.

What does it look like for the early adopters?

I have been privy to observe the advantages that come from the changing cultures of organisations that were early adopters of data privacy technology and systems. These organisations reap the fruits of meticulous planning and investment into the implementation process of change. Three things determine success:

  1. When we use modern, cloud-based systems that are leased as opposed to being owned, it allows for faster scaling. The approach allows the organisation to be more agile and resilient in the face of adversity such as COVID-19 or natural disasters, where digital needs can be scaled up or down as is required with reasonable flexibility from the cloud service provider.
  2. We eliminate or at least mitigate risks well in advance when we follow a proactive approach to cyber-crime and potential data breach events as opposed to a reactive approach.
  3. When we empower individuals as agents of change, they know what to do and who to report to when risks such as a data breach or cyber-attack arise.

Data protection planning and compliance should be part of organisational goal setting. In turn, the organisation’s goals and strategy inform which technology is best suited to translate into an invaluable toolset that helps protect the organisation against cyber-attacks and data breaches, and places the protection of personal information first and foremost.

It is never too late to start the process. However, there hasn’t been a better time than now to onboard our multi-disciplinary team together with ENSafrica to help your organisation navigate the change associated with data protection and compliance.