1.1     DAY 1 – Here’s looking at you!

We start by mapping out your business and the data that you manage, then

comparing that to the penalties outlined in POPIA. Then we look at the roles and responsibilities required by the POPI Act.

By the end of the class, you will have

• A risk assessment of those areas of your business that are impacted by POPI
• Exactly what POPI expects from the head of your organisation and your management team, and the extent of personal liability on these individuals.

1.2     DAY 2 – Get ahead of what your customers will expect from you

The type and size of your clients dramatically changes how much risk POPI presents to you. Many companies start their POPI programme because of a client insisting on a privacy policy or a data process agreement or they might include POPI (or privacy and data protection) in their next due diligence assessment. You need to demonstrate that you are mature enough as an organisation to be trusted with their data, but what does that mean exactly?

By the end of the class, you will have:

• A risk analysis of your client base with your most at-risk areas prioritised
• An understanding of the POPI changes needed for your most at-risk client

1.3     DAY 3 – A direct tackle on direct marketing

To really get going, we grab the bull by the horns and create a plan to get your direct marketing sorted out. Why focus on direct marketing? It is arguably the most public and most common privacy issue in nearly all businesses. It is also a practical way to introduce most of what you need to know about the POPI Act.

By the end of the class, you will have:

• A definitive answer on exactly how POPI impacts on your direct marketing and what you need to do about it

1.4     DAY 4 – Know who you are in bed with

After direct marketing, the level of risk posed by suppliers, vendors and other third parties has proven to be a high impact risk for reputation and regulatory compliance.

By the end of the class, you will have:

• A high-level privacy risk assessment of your suppliers and vendors
• Ideas on how to mitigate those risks

1.5     DAY 5 – Limit that risky business.

POPI (and other privacy legislations around the world), mandate that you must do some very specific things, like audit how you manage personally identifiable information and assess the risks your business may be creating for other people. In this module, you will learn the fundamental capabilities that you need in order to manage privacy in your organisation. You will also complete one of the key responsibilities that the Information Regulator will expect to see in place if they ever audit you.

By the end of the class, you will have:

• A high-level privacy/personal information impact assessment for your most risky process
• A plan to manage any future data breaches
• A plan to conduct privacy awareness training

1.6     DAY 6 – Safe and secure systems

POPI requires “reasonable organisational and technical measures” be in place to protect and secure personal information. In this module we leverage a practical approach for understanding your business systems and technologies. If you don’t know your network from your server and feel unsure whether a spreadsheet is a database, fear not! You can fake it until you make it! The tools we use will allow you to get handle on what’s cooking before you hand over the detailed assessment to your tech teams.

By the end of the class, you will have:

• A high-level privacy/personal information impact assessment for your most risky system
• A plan to identify any future data breaches
• A draft security & privacy policy

1.7     DAY 7– Opening up to transparency and participation.

One requirement in POPI that can have a high impact on you, is the requirement to enable people to contact you about their data (i.e., “data subject participation” in POPI-speak). It’s a requirement that can introduce risk if not thought through properly. Which is why we are going to focus in on ensuring you implement the right level of procedures that are sustainable for your business. While we are on the topic of communicating externally, we will address the very important aspect of interacting with the Information Regulator and the requirement for a privacy manual.

By the end of the class, you will have:

• Draft procedures and forms that satisfy POPI Regulations for access, amendment, deletion and objections
• A plan to identify and address any privacy notices that are inadequate
• Assigned responsibilities for interacting with the Information Regulator
• A draft Privacy and Access to Information Manual, as required by the POPIA regulations

1.8     DAY 8 – Wrapping it up and looking ahead

On the last day, we consolidate what you have learnt into a formal compliance framework and a clear plan. We will also look at the marketplace of privacy frameworks, standards, tools, legal services and management systems so that you are well placed to negotiate before you purchase any privacy tools, and so that you can decide whether you need a formal privacy audit.

By the end of the class, you will have:

• A privacy compliance framework, as required by POPIA regulations and a defensible response to crazy privacy demands from clients or potential clients
• A POPI compliance implementation plan prioritised against your unique risks