In 2005, as PAIA (the ill-fated and silly Promotion of Access to Information Act) loomed, I worked with a group of small-business owners. We called ourselves Business Warriors.

The PAIA Act demanded that every business in SA submit a manual to Govt defining how the business would manage requests for information from the great unwashed. The original plan called for each such manual to be printed in the Government Gazette. (Nobody worked out that 600,000 manuals at 5 pages each would be enough to clog the Gazette printers for years.) Plan B called for an emailed PDF. (On due date the volume of PDFs blew out the SAHRC email servers for 6 months so hey simply deleted them all. But that's another story.)

Anyway, we figured out that we small businesses were almost identical and so we shared a common template. At R200 this was a whole lot cheaper than the R5k+ fees we were individually being charged by overworked attorneys.

A bunch of my clients asked if we could do the same thing this time around.

POPI (Protection of Personal Information) is a very different beast. It mimics similar laws around the world. The Australian version goes live in February. The European Union version goes live in May. It's real. And it's not going away.

The deeper I dig into the issues that POPI raises the more concerned I get.

Click image for larger version.  Name: Data Map.jpg  Views: 390  Size: 43.8 KB  ID: 6940
This is a map of most of the apps I use and the data I hold. Almost every app holds a combination of client info that the Act regards as personal info. I am responsible for that info. (As are you for the info you hold about me and any of your prospects, clients, suppliers, staff,...) In theory, I can hold each of these apps responsible if they expose my data in their systems. But, like you, I have no contract with them that says they are POPI (or any other privacy law) compliant. So the Information Regulator will look to me for answers.

Just one of those apps, GMAIL, holds a staggering amount of detail from various clients. As well as CSVs, XLSs, ZIPs, etc - all backups of sites and membership systems as well as exports and imports as I moved data between systems. Just as you do. (I've cleaned them off, but it was a tad scary to see how much had accumulated.)

In that list LinkedIn, Skype, Facebook have already been breached.

I am working on a solution similar to the PAIA "template" from 2005. The first facet of that is asking lots of questions. I've been doing that for 6 months.

There is so much to this POPI thing that I have a free email course on POPI. One email/day for 12 days, looking at some of the key issues for small-business owners.

Feel free to join the course here. (It looks like an affiliate link because that's the easiest way for my system to track where folk come from. I am using Facebook, Adwords, Direct Email and LinkedIn to reach out to folk. It's my own service so I don't pay myself affiliate fees :-) )