• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Werksmans presentations on popi
 

Werksmans presentations on popi

on

  • 1,276 views

 

Statistics

Views

Total Views
1,276
Views on SlideShare
1,276
Embed Views
0

Actions

Likes
0
Downloads
64
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Werksmans presentations on popi Werksmans presentations on popi Presentation Transcript

    • Follow this event on Twitter: #WerksmansPOPI Noticing Noticed Notices Neil Kirby 16 May 2013
    • Follow this event on Twitter: #WerksmansPOPI WHO? Information Officer 2
    • Follow this event on Twitter: #WerksmansPOPI WHY? The purpose of the Act (section 2) 3
    • Follow this event on Twitter: #WerksmansPOPI WHAT? Security compromises Requests in respect of data-correction Compliance: encourage and ensure Regulator liaison Chapter 6 investigations Promotion of Access to Information Act No. 2 of 2000 4
    • Follow this event on Twitter: #WerksmansPOPI CHAPTER 6 Prior authorisation processing Notification required-once-off Written and detailed Await reply in respect of investigation 4 weeks : more detailed investigation 13 week limit Results 5
    • Follow this event on Twitter: #WerksmansPOPI IN ADDITION Deputies Regulations : responsibilities Manner and forms Complaints, investigations, search & seizure, information notice, assessments, enforcement notice, appeals and a section99(1) action 6
    • Follow this event on Twitter: #WerksmansPOPI THANK YOU Neil Kirby 16 May 2013 Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2013 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.
    • Follow this event on Twitter: #WerksmansPOPI When you speak you begin with “A, B, C”. When you comply you begin with “Don’t bother me”? Ina Meiring 16 May 2013
    • Follow this event on Twitter: #WerksmansPOPI Duties and responsibilities of the Information Officer Section 55(1): “An information officer’s responsibilities include— (a) the encouragement of compliance, by the body, with the conditions for the lawful processing of personal information; (b) dealing with requests made to the body pursuant to this Act; (c) working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body; (d) otherwise ensuring compliance by the body with the provisions of this Act; and (e) as may be prescribed” 9
    • Follow this event on Twitter: #WerksmansPOPI Conditions for lawful processing Condition 1: Accountability The responsible party must ensure that the conditions for lawful processing and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself. 10
    • Follow this event on Twitter: #WerksmansPOPI Processing limitation (2) Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Adequate, relevant and not excessive (purpose) (minimal) Only if – the data subject consents to the processing; processing is necessary: contract to which the data subject is party; processing complies with an obligation imposed by law on the responsible party; processing protects a legitimate interest of the data subject; processing is necessary for the proper performance of a public law duty by a public body; or processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied. 11
    • Follow this event on Twitter: #WerksmansPOPI Processing limitation (2) The data subject may withdraw consent and may object to the processing of personal information (unless legislation provides for such processing). Personal information must be collected directly from the data subject, unless – the information is contained in or derived from a public record or has deliberately been made public by the data subject; the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source; collection of the information from another source would not prejudice a legitimate interest of the data subject; 12
    • Follow this event on Twitter: #WerksmansPOPI Collection directly from the data subject Personal information must be collected directly from the data subject, unless collection of the information from another source is necessary— to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences; to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997); for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; in the interests of national security; or to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied; compliance would prejudice a lawful purpose of the collection; or compliance is not reasonably practicable in the circumstances of the particular case. 13
    • Follow this event on Twitter: #WerksmansPOPI Purpose specification (3) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. The data subject must be aware of the purpose of the collection of the information. No records must be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless— required or authorised by law; the responsible party requires the record for lawful purposes; required by a contract between the parties thereto; or the data subject has consented to the retention of the record. 14
    • Follow this event on Twitter: #WerksmansPOPI Further processing limitation (4) Further processing of personal information must be in accordance or compatible with the purpose for which it was collected The responsible party must take account of— the relationship between the purpose of the intended further processing and the purpose for which the information has been collected; the nature of the information concerned; the consequences of the intended further processing for the data subject; the manner in which the information has been collected; and any contractual rights and obligations between the parties 15
    • Follow this event on Twitter: #WerksmansPOPI Information quality (5) The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary. In taking the steps referred to the responsible party must have regard to the purpose for which personal information is collected or further processed. 16
    • Follow this event on Twitter: #WerksmansPOPI Openness (6) A responsible party must – maintain documentation of all processing operations; ensure that the data subject is aware of – the information being collected; the name and address of the responsible party; the purpose ; whether or not the supply of the information by that data subject is voluntary or mandatory; the consequences of failure to provide the information; any particular law authorising requiring the collection of the information; 17
    • Follow this event on Twitter: #WerksmansPOPI Openness(6) A responsible party must ensure that the data subject is aware of- further information such as the— recipient or category of recipients of the information; nature or category of the information; and existence of the right of access to and the right to rectify the information collected; the right to object to the processing of personal information; the right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator. 18
    • Follow this event on Twitter: #WerksmansPOPI Security safeguards (7) A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent— loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information. 19
    • Follow this event on Twitter: #WerksmansPOPI Operator A person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. An operator or anyone processing personal information in behalf of a responsible party or an operator must- process such information only with the knowledge or authorisation of the responsible party; and treat personal information which comes to their knowledge as confidential and not disclose it, unless required by law or in the course of the proper performance of their duties. 20
    • Follow this event on Twitter: #WerksmansPOPI Security measures A responsible party must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures referred to in section 19. The operator must notify the responsible party immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person. 21
    • Follow this event on Twitter: #WerksmansPOPI Data subject participation(8) A data subject has the right to— request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject; and request from a responsible party the record or a description of the personal information about the data subject held by the responsible party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information— (i) within a reasonable time; (ii) at a prescribed fee, if any; (iii) in a reasonable manner and format; and (iv) in a form that is generally understandable. 22
    • Follow this event on Twitter: #WerksmansPOPI Checklist The nature (and volume?) of personal information processed within your organisation and whether it is complete, accurate and up to date. You will have to undertake an audit of human resources, IT (for security and contingency measures), marketing, customer sales and support. Do you have a data privacy policy which also addresses information security (security safeguards) ? Does this policy describe sufficient physical, technological and organizational data security measures? This policy should also address the conditions for lawful processing (and further processing) within your organisation and within the Group. Do you disclose personal information to third parties (e.g. sub-contractors) and do you have contracts and security measures in place to ensure data privacy? 23
    • Follow this event on Twitter: #WerksmansPOPI Checklist Do you have a process for notification of security compromises (assuming you have addressed disaster recovery, and risks of unauthorised access). Have you established who will be appointed as Information Officers and deputy information officers and do they do know what their obligations under POPI will be? Does your business understand when notifications to the Regulator must be made?. Have you reviewed your employment contracts to address data privacy and information security? 24
    • Follow this event on Twitter: #WerksmansPOPI Checklist Have you reviewed the terms and conditions of products and services sold to customers to deal with your compliance obligations under POPI (e.g. consents required)? Do you have a process in your organisation to deal with complaints about inaccuracies of personal information or when a data subject wishes to exercise any of the rights under clause 5 of POPI? Do you or will you provide training to employees and how will the policy be communicated within your organisation and to external parties? 25
    • Follow this event on Twitter: #WerksmansPOPI Checklist Do you transfer data outside the borders of SA and does your policy provide for this? Have you reviewed your marketing procedures and processes to determine compliance with POPI (and other applicable law)? Do you have a document retention policy which also addresses destruction thereof within a certain period? The document retention policy should take into account any personal information retained. 26
    • Follow this event on Twitter: #WerksmansPOPI Quick wins 27 Get there! Empower your people Designate role, prepare appointment documentation for Information Officer Review or prepare standard templates for data sharing or processing in agreements Inventory of databases and flows Review or prepare template data transfer contracts Review or revise or prepare privacy policies and notices directed at customers and business partners Review or prepare notices directed at employees with respect to processing of employee data Assess where notifications are required Review or prepare data processing contracts Direct marketing: implement protocols for opt-in/opt-out processes... Review/develop internal protocols and processes
    • Follow this event on Twitter: #WerksmansPOPI THANK YOU Ina Meiring 16 May 2013 Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2013 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.
    • Follow this event on Twitter: #WerksmansPOPI Houses of straw, houses of sticks and houses of bricks Ahmore Burger-Smidt
    • Follow this event on Twitter: #WerksmansPOPI Obligations for the Protection of Personal Information can have a significant impact on business... The way that any organisation processes and handles the personal information of its customers, employees, business partners and service providers is crucial Non compliance with the duties imposed by legislation may result in regulatory action, civil liability, damage to reputation and, in extreme cases, even criminal prosecution
    • Follow this event on Twitter: #WerksmansPOPI 31 National Comprehensive Data Protection/Privacy Laws and Bills 2012
    • Follow this event on Twitter: #WerksmansPOPI The big picture programme 32 Privacy Programme POLICY & PROCEDURES • Employee, Customer and Partner Policies and Procedures • Enterprise-Wide Standard Operation Procedures PRIVACY ANALYSIS • Life-cycle based Data Flow Analysis (information acquisition, use, storage, distribution and destruction) with multiple options (organizational, business unit, geography, process, system or employee or customer data) • Risk-based Assessments and Gap Analysis • Risk Prioritisation CULTURAL TRANSFORMATION • Governance • Enterprise Directives (Policies, Processes, Guidelines, Scenarios, Taxonomy) • Value-Adoption Assessments • Web-enabled tools (dynamic content/role and activity based) SOLUTION SET DESIGN • Policy & Procedures • Cultural Transformation • System/Product Architecture • Detailed Roadmaps (Prioritisation, inter-dependencies and estimated resources and time) PRIVACY STRATEGY • Brand Opportunities • Regulatory Environment • Governance • Communications Plan • Strategic Roadmaps SYSTEM ARCHITECTURE • Strategy (data location, centralised vs decentralized) • Functional requirements • Technical Specifications • Development • Implementations • Change Management • Quality assurance MONITORING & REPORTING • Processes • Regulatory safe Harbour • Extended Enterprise • Systems/Applications • Internal Audit Programs • Web-based monitoring tools • Incident Response PRIVACY FRAMEWORK • Methodology • Tool-based Framework • Detailed Requirements Analysis (brand, regulatory, policy)
    • Follow this event on Twitter: #WerksmansPOPI The 5 Key principles 33 Know what you have- files and computors Who, how, what, where Who has access Keep only what you need Legitimate business need What does the law require Protect the information that you keep Physical and electronic security Network security, laptop, firewalls, remote access Take stock Scale down Lock it Pitch it Plan ahead A plan to respond to security incidents Who in the team will lead Step-by-step guideline Properly dispose of what you don’t need Disposal processes, effective disposal Process and Policy
    • Follow this event on Twitter: #WerksmansPOPI Implementing the 5 key principles: Werksmans methodology 34 Applicable legislative landscape ResponsibilitiesDuties Types of records Processes Werksmans insight POPI Compliance Road-map Close existing gaps Compliance officerPolicies and procedures Incident management process Training Alignment with legislation Security / processes and procedures Security Ownership Current state Desired state
    • Follow this event on Twitter: #WerksmansPOPI What does this look like 35 3. Resource planning 4. Empowerment: Documentation 1. Situation Assessment 2. Risk Management Understand current practices, arrangements and agreements As-Is – To-Be Report Identify philosophy and overall strategy Add to business process map Formulate change and communication strategy Risk Management Plan Organisation specific resource plan Compliance cultureStrategic Outcome Operational Analysis Outcome Understand way forward Enable staff and empower organisation Define “people” privacy structure Draft job descriptions as identified Draft and amend customer facing documentation Draft call centre scripts Awareness Ability to hold staff accountable Embed risk management tool Formulate overarching HR Plan Training- workshop and online Draft/Review operator contracts Information classification Identification of types of processes Define implementation dependencies Design and implement risk management tool Draft security compromises process Draft step guide to information requests Draft special information processing procedure Draft Policies Draft standard agreements or templates for intra-group data transfers Draft documentation - trans border information transfers
    • Follow this event on Twitter: #WerksmansPOPI Only once you understand ….. 36 Storage Use Sharing Archive Acquisition Destruction Information Management Lifecycle
    • Follow this event on Twitter: #WerksmansPOPI The way forward should suit your specific business 37 Text Your POPI approach POPI compliance should never be an impediment to your business. POPI compliance should have: • a relevant approach • practical approach • innovative and creative outcome • Allow your business to focus on strategy, risk management, corporate governance and future growth!
    • Follow this event on Twitter: #WerksmansPOPI THANK YOU Ahmore Burger-Smidt 16 May 2013 Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2013 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.
    • Follow this event on Twitter: #WerksmansPOPI BORDER CROSSINGS: Cross Border Data Transfer Section 72 of POPI Tammy Bortz 16 May 2013
    • Follow this event on Twitter: #WerksmansPOPI INTRODUCTION Internet: massive movement of data between jurisdictions Benefits: ability to move data around depending on where there is processing capacity/resources transfer data to jurisdictions where data processing cheaper Business enabler: Service providers rely on the internet as their biggest business tool. Over the years huge growth in revenue generated by online service providers: e-commerce (able to reach many more customers – no longer need a physical presence), cloud computing (and in turn end users who use cloud services) Consumers: communication tool, wider choice of goods/services (which in turn creates competition) Business: process data in different regions based on resources, no longer need staff/operations in centralized location, scale down on IT spend 40
    • Follow this event on Twitter: #WerksmansPOPI INTRODUCTION SMME’s: no longer require costly infrastructure and resources: easy access to email, accounting packages, and ERP all via the internet – turn on and off based on need - cloud services cheap and easily accessible advertising platforms: Facebook, linked in etc. Africa: access to Internet growing (laying of fibre): enables online access to educational resources/medical resources Increase international trade 41
    • Follow this event on Twitter: #WerksmansPOPI LEGAL OBSTACLES Data transfer impeded by global data privacy laws No one global data protection law/data framework – businesses that wish to transfer data between jurisdictions have to familiarizes themselves and navigate through a patchwork of laws and global rules Certain jurisdictions – far more prescriptive than others as to the basis on which personal information can enter and leave its jurisdiction as well as how the data of its citizens should be protected “data protectionism”- governments have in place laws that enable them to have control over data sitting in their jurisdiction – favor local interests and competition 42
    • Follow this event on Twitter: #WerksmansPOPI MAJOR PLAYERS: EUROPEAN UNION Data Protection Directive: Directive 95/46/EC Each EU member country must pass its own national law which is in compliance with the directive Many have such legislation – UK most well know Others: Finland, Germany, Ireland, Isle of Mann Cannot transfer personal data out of the EU unless target jurisdiction has “adequate protection” ie laws in place that offer same level of protection as that offered by the EU Exceptions to this are (“adequate protection”): White listed countries US-EU Safe harbor Use of EU approved data export agreements/model contract clauses Binding corporate rules 43
    • Follow this event on Twitter: #WerksmansPOPI MAJOR PLAYERS: EUROPEAN UNION Findings of adequacy: Canada, Guernsey, Jersey: Participation in Safe Harbor scheme Standard/Model Contractual Clauses: directive issued by EU Commission 2001/2004/2010. Transfers made in terms of an agreement which contains these clauses - target company deemed to have adequate controls in place Binding Corporate Rules 44
    • Follow this event on Twitter: #WerksmansPOPI BINDING CORPORATE RULES Binding Corporate Rules or "BCRs" allow multinational corporation, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection laws. BCR’s were developed as an alternative to the Safe Harbor principles (which are for US organizations only) and the EU Model Contract Clauses. Must be approved by the data protection authority in each EU Member State (such as the Information Commissioners Office in the UK) in which the organization will rely on the BCR’s. Examples of organizations who have BCR’s: Citigroup, Accenture, Novartis, Phillips 45
    • Follow this event on Twitter: #WerksmansPOPI MAJOR PLAYERS: USA USA: no overriding legislation that protects personal information of US citizens Legislation at industry level Safe Harbor: US organizations that participate in the safe harbor scheme are “white listed” – ie, EU will allows transfer of personal data to the US Obama Administration: 2012 issues framework for national protection of personal data legislation – aligns with EU data protection principles Purpose: to enable seamless transfer of data between the USA and EU member states 46
    • Follow this event on Twitter: #WerksmansPOPI SOUTH AFRICA Currently, no single overriding data protection law in place which regulates cross border data transfer – this will change once POPI passed into law. In particular, EU will regard RSA as a jurisdiction which has an adequate level of protection Current restrictions on outward transfer Constitution and Common Law and which grants rights to privacy to South African citizens and under what circumstances such rights can be overridden – Consent Necessity Contracts: Contractual clauses which may prevent data transfer Confidentiality undertakings Legislation for regulated industries Financial Advisory and Intermediary Services Act , as read with its Codes of Conduct National Health Act 47
    • Follow this event on Twitter: #WerksmansPOPI SOUTH AFRICA Financial Service Providers o “The Codes of Conduct for Administrative and Discretionary [FSP’s] (Government Gazette 25299, 8 August 2003]: FSP’s may not without [investors] prior written approval, sell to or provide a third party with an [investors] details unless obliged to by, or in terms of any law o “General Code of Conduct for Authorised [FSP’s] and Representatives (Government Gazette 25299 8 August 2003) : an FSP may not disclose any confidential information acquired or obtained from an [investor] or in regard to such [investor] unless the written consent of the [investor] has been obtained beforehand or disclosure of the information is required in the public interest or under any law.” 48
    • Follow this event on Twitter: #WerksmansPOPI TRANSFER OUT: SECTION 72 A responsible party cannot transfer personal information to a third party who is in a foreign country. Exemptions:— the third party who is the recipient of the information is subject to a law, binding corporate rules, binding agreement or a memorandum of understanding entered into between two or more public bodies, which provide an adequate level of protection that— (i) effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and (ii) includes provisions, that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country; consent; transfer necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request; transfer necessary for the conclusion /performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or transfer is for the benefit of the data subject, and— it is not reasonably practicable to obtain the consent of the data subject to that transfer; and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it. 49
    • Follow this event on Twitter: #WerksmansPOPI BINDING CORPORATE RULES/MOU Available to public bodies Must be approved by data protection authorities “Binding corporate rules’’: personal information processing policies, within a group of undertakings (being a controlling undertaking and its controlled undertakings) which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country Where the transfer is made in terms of a non-binding memorandum of understanding [BCR’s?] the public body remains accountable in terms of POPI for the protection of the personal information. 50
    • Follow this event on Twitter: #WerksmansPOPI CONSENT Must be voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information Guidance from the EU Commission as to what would be regarded as consent for purposes of this exemption – individual must know why data is being transferred and where possible, to which jurisdictions Not be given under duress Specific for purpose for which given – cannot transfer for any other purpose How and at what point must this consent be obtained? Physical forms Website Point of Sale 51
    • Follow this event on Twitter: #WerksmansPOPI PERFORMANCE OF A CONTRACT/IMPLEMENTATION OF PRE- CONTRACTUAL MEASURES “Transfer necessary for the performance of a contract between the data subject and the responsible party or for the implementation of pre-contractual measures taken in response to the data subject’s request (transfer is a necessary step the individual has asked the organisation to take for purposes of contract conclusion)” Examples individual books a hotel in the USA through a South African travel agent. RSA travel agent will need to transfer the booking details to the USA to fulfil its contract with the individual. customer of a South African credit-card issuer uses their card in Japan. It may be necessary for the card issuer to transfer some personal data to Japan to validate the card and/or reimburse the seller A South African based internet trader (retailer) sells goods online. Goods are delivered direct to the customer from the manufacturer. If customer orders goods that are manufactured in the Ukraine, the trader needs to transfer a delivery name and address to the Ukraine to carry out the contract. Transfer will not be regarded as necessary where due to the structure of the business ie: the company decides to locate a business operation off shore (here, transfer not necessary but convenient) 52
    • Follow this event on Twitter: #WerksmansPOPI NECESSARY FOR THE CONCLUSION/PERFORMANCE OF A CONTRACT CONCLUDED IN THE INTEREST OF THE DATA SUBJECT 53 “The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party”” “Interest” not defined Will be in the interest of a data subject if some benefit to the data subject ie - Lower cost of processing passed on the customer Better security Improve service offering Use of offshore redundancy: decrease risk of outages
    • Follow this event on Twitter: #WerksmansPOPI BENEFIT AND NOT PRACTICABLE TO OBTAIN CONSENT 54 Transfer is for the benefit of the data subject, and— (i) it is not reasonably practicable to obtain the consent of the data subject to that transfer; and (ii) were reasonably practicable to obtain such consent, the data subject would be likely to give it “Benefit”: lower cost of processing passed on the customer, better security, improve service offering, use of offshore redundancy, decrease risk of outages “not practicable to obtain” subjective enquiry Example: where thousands of customers/impossible to track all customers Compare cost of seeking consent against benefit to disclose If practicable: data subject would give consent What data is being transferred? Would need to look at the purpose for which data being transferred What protection is afforded in the offshore jurisdiction?
    • Follow this event on Twitter: #WerksmansPOPI TRANSFER IN Transfer in POPI: remove barriers for transfer from EU to RSA, USA where organization has subscribed to Safe Harbor Current Position Where does the data sit? Are there any laws in such jurisdiction which may inhibit the inward transfer of such data to South Africa? Assess this before transfer data to such jurisdiction 55
    • Follow this event on Twitter: #WerksmansPOPI THANK YOU Tammy Bortz 16 May 2013 Nothing in this presentation should be construed as formal legal advice from any lawyer or this firm. Readers are advised to consult professional legal advisors for guidance on legislation which may affect their businesses. © 2013 Werksmans Incorporated trading as Werksmans Attorneys. All rights reserved.