• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Practical steps to take in preparation for the Protection of Personal Information Bill: Cross Border Data Transfer - Tammy Bortz, Werksmans Attorneys

Practical steps to take in preparation for the Protection of Personal Information Bill: Cross Border Data Transfer - Tammy Bortz, Werksmans Attorneys






Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://www.linkedin.com 2


Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Practical steps to take in preparation for the Protection of Personal Information Bill: Cross Border Data Transfer - Tammy Bortz, Werksmans Attorneys Practical steps to take in preparation for the Protection of Personal Information Bill: Cross Border Data Transfer - Tammy Bortz, Werksmans Attorneys Presentation Transcript

    • Practical steps to take inpreparation for theProtection of PersonalInformation BillCross Border Data TransferTammy Bortz
    • Introduction POPI – very specific about how PI must be processed No question that POPI will in some way impact most businesses in RSA Not yet law but given the implementation period 1 year (proposal of 3) organizations need to start preparing now International experience – anything between 3 to five years Need to be practical
    • WHY COMPLY? Non-compliance can have adverse consequences – Civil remedies: institute civil action for damages, aggravated damages, interest and legal costs Penalties: include imprisonment and a fine Administrative fines (up to R1 million) Adverse publicity, potentially leading to reputational damage Increased regulatory scrutiny King III – good governance includes governance of information and technology - “information governance” Global Business? Compliance will aid commerce
    • So…where to begin Obvious starting point: does the organisation need to comply with POPI? There are very few that don’t! Although some more than others Need to consider in light of two important definitions in POPI “PERSONAL INFORMATION” “PROCESS”
    • “Personal information”"personal information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person; (d) the blood type or any other biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
    • “Processing”“processing" means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including — (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as blocking, degradation, erasure or destruction of information
    • Responsible Party v. Operator "Responsible Party" “Operator” means a means a public or private person who processes body or any other person personal information for a which, alone or in responsible party in terms conjunction with others, of a contract or mandate, determines the purpose of without coming under the and means for processing direct authority of that personal information party More extensive obligations Credit card processing under POPI Data storage IT service providers (physical and virtual)
    • Role Players Critical to have buy in from the role players given the extensive scope of the exercise Internal and external role players Global company: need to involve all jurisdictions in which company operates (especially where cross border data transfer) Look at type of business to identify who the key players are – requires an in-depth understanding of the business and the many ways in which PI is processed Internal Role Players Board of Directors/senior management (CEO, CIO, COO, FD etc) IT (internal) - integral given that implementation will to a large degree involve IT system changes Risk and Compliance officer/Legal HR Sales Marketing External Role Players IT service providers (especially those who process PI of the company’s employees, customers etc) Auditors Lawyers
    • Audit/Due DiligenceWho should do this?Internal v. External?Depends on - Scope of audit (size of organisation) Budget Need for audit to be objective? Internal capacity and expertiseMust have in depth understand POPI and other applicable legislationExperience and understanding of how to conduct audit and thenecessary assessment techniques – questionnaires, workshops,interviews, presentation of findings etc
    • Project PlanPrepare a “project plan”.Project managerFundamental to have this in place - Purpose of the audit – to ultimately ensure POPI (and other data privacy legislation) compliance Scope (which areas of the business will be covered/which departments etc – local and foreign) Role players and their specific tasks Deliverables with time lines Meetings/governanceUltimate aim: to be able to prepare a comprehensive policyregulating processing of PI within the organisation
    • What next? Once decided on scope of audit, benefits to preparing a questionnaire that is distributed to identified departments/ staff/role players. Level of complexity of questionnaire will depend on level of staff understanding of requirements (i.e, purpose of the questionnaire, why detailed and well considered answers are important). Recommend: initial and if necessary follow up workshop where POPI and purpose of audit explained. Best method: combination of well considered questionnaire and face to face interviews with key players
    • The Questionnaire Prepared in such a way so that given can ultimately can prepare a comprehensive data protection and management policy. Useful to have guidance notes explaining what the organisation is looking for in terms of an answer. Want a questionnaire that will elicit the most comprehensive and useful responses and minimise need for follow up interviews. Questionnaire will in certain instances need to be adapted for the department in question. May also need to include external business partners in this process insofar as they process PI. Dedicated team/panel for this process.
    • The QuestionnaireWhat [Personal Information] do you [process] ?Give examples - questionnaire to HR cite examples of PI as any health details, disciplinary records, payroll details questionnaire to IT providers cite examples of PI as cookies, email addresses, bank details (if online trading offering)Please provide templates/copies of all contracts (internal and external),standard terms of business, policies (including any data protection policies),procedures, manuals etcWhere and for how long is data stored? Is there a documented retention anddestruction policy. If yes, please provide a copyIs PI collected directly or indirectly from relevant individuals, and if so, bywhich medium is it collected (in hard copy form, by telephone, over theinternet etc..).What security processes and procedures are in place, both in respect of datawhen static and when in motion?Is there a data security policy. If yes, please provide a copy
    • The Questionnaire cont…..Does PI collected/requested exceed the purposes for which it wascollected (for example, if the PI was collected for the purposes of sellinga cell phone, it is not relevant to know the religion or have any detailsabout the individuals health).Do we have procedures in place to ensure that PI is kept accurate for theperiod of retention (for example, prompting online customers to updatetheir details every six months).Do we outsource any processing of PI to a third party and if yes, do wehave any contracts in place with such third parties?If yes, do these contracts regulate how such service providers mustprotect and process such information?Do we receive PI from foreign jurisdictions and if yes, from where?Do we transmit PI to foreign jurisdictions and if yes, to where?Do we have any documented Rules for cross border data transfer?Direct marketing: what consents do we have in place
    • Next Steps? Collate answers Start to prepare policy May require follow up questionnaires, interviews Ongoing process
    • Cross Border Data Transfer Major issue – seen as one of the impediments to global trade Two components – Can personal data be transferred outside South Africa Can personal data be returned to South Africa Transfer out Common law: may require consent of data owner PPI: place restrictions on cross border data transfer (Section 74 of the PPI) Transfer in Will need to consider laws of particular jurisdiction in which the data is held. Many countries have restrictions such as UK, Switzerland, Ireland, Australia etc..
    • Cross Border Data TransferInternational developments New EU Regulation USA: USA Consumer Data Privacy framework
    • THANK YOU Tammy BortzNothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers areadvised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2011 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.