This document discusses the Protection of Personal Information (POPI) Act in South Africa and how it will impact companies. It provides an overview of POPI, explaining that it establishes conditions for lawful processing of personal information, including collection, processing limitations, data security, and rights of the data subject. The document also outlines an approach for companies to become compliant with POPI through transforming people, processes, and technology using insight, roadmapping, and enablement. Offerings are provided around strategy, training, change management, data management, and processes.

2. OVERVIEW
OUR APPROACH
OUR OFFERINGS
CONCLUSION

3. A BACKGROUND ON PRIVACY
Olmstead case – basis of our understanding of privacy
Important because information has become easily accessible:
46% increase from 2010
Crime committed:
– every 3.5 minutes in NYC
– every 2.5 minutes in Tokyo
– every 3 seconds an identity stolen online
Highest number of cybercrime victims worldwide:
– 92% RUSSIA
– 84% CHINA
– 80% SOUTH AFRICA
Greater revenue than drug trade
Mobile growth sparks increase

4. WHAT IS POPI?

5. WHAT IS POPI?
Right to be left alone
Enshrined in sect 14 of Constitution
Balances right of privacy with other rights, in particular access to
information
Prescribes minimum processing requirements
Provides remedies to abuse of PI
Protects free flow of information
International harmony

6. THE PROTECTION OF PERSONAL INFORMATION
(POPI) ACT WILL HAVE AN IMPACT ON ALMOST
EVERY COMPANY OPERATING IN SA?
DID YOU KNOW:

7. THE POPI ACT WILL
ESTABLISH A
CODE OF CONDUCT
FOR CONFIDENTIAL
HANDLING OF
PERSONAL
INFORMATION

8. CONDITIONS FOR LAWFUL
PROCESSING OF PERSONAL INFORMATION
Collection of data (Accountability)
Processing limitations
Retention & Deletion of data (Purpose Specification)
Further Processing of Data
Data security (Security Safeguards)
Data subject participation
Notification (Openness)
8
Information Quality

9. COLLECTION OF DATA
Information must be
collected directly from
the individual
Exceptions:
– Public records
– Consent given to a third party
– Law enforcement

10. COLLECTION OF DATA
The person must be
aware of the purpose
for collecting their
personal information
and give consent
There is additional
consent needed
to store and process
data outside of South
Africa

11. PROCESSING LIMITATIONS
Businesses are not permitted to process
personal information of children under 18

12. Religious or
philosophical beliefs
PROCESSING
LIMITATIONS
Unless specifically
permitted, you are
NOT ALLOWED to
process information
about…

13. Trade union
membership
or political
opinions
PROCESSING
LIMITATIONS
Unless specifically
permitted, you are
NOT ALLOWED to
process information
about…

14. PROCESSING
LIMITATIONS
Unless specifically
permitted, you are
NOT ALLOWED to
process information
about…
Health, sexual
life or biometric
details

15. Race or ethnic origin
PROCESSING
LIMITATIONS
Unless specifically
permitted, you are
NOT ALLOWED to
process information
about…

16. PROCESSING
LIMITATIONS
Unless specifically
permitted, you are
NOT ALLOWED to
process information
about…
Criminal Behaviour

17. RETENTION OF DATA
Information must
NOT be kept any
longer than is
necessary for
processing

18. DELETION OF INFORMATION
Data must be
destroyed as
soon as possible
It must be
impossible for
data to ever be
recovered or
reconstructed

19. DATA SECURITY
Technical and
organisational
security
measures to
prevent data
loss or damage,
or unlawful
access to
personal
information are
essential.

20. DATA SUBJECT PARTICIPATION
A person must be able to:
Find who has their data
Request a copy of all
personal information held
by an organisation
Request amendments or
deletion of their data,
and receive proof this
has been done
******
****

21. NOTIFICATION
Reasonable steps must be taken to ensure that the data
subject is aware of breaches to information
Data Subjects must be supplied with information:
– How collected
– Contact details of Responsible Party
– Purpose and Consequences
– Laws authorising or requiring collection of information
– When the Responsible party intends to send the
information to a third party or across international
borders, including level of protection
– Any further information

22. ENFORCEMENT
Official complaint process
Punishment up to 10 years
imprisonment and/or fine
up to R10 million
Civil action may also be
taken

23. SOME BREACH EXAMPLES

24. EXCEPTIONS
Processed for purely personal or household
activities
De-identified Personal Information
Processed for National security defence or public
safety
Processed in investigating and prosecuting crime
Cabinet and EC of Provinces
Exemptions granted by Regulator
Journalistic purposes

25. OVERVIEW
OUR APPROACH
OUR OFFERINGS
CONCLUSION

26. OUR APPROACH
We can help companies define a
strategy and roadmap to become
compliant with the POPI Act.
We provide a complete and holistic
execution that interweaves the key
areas of PEOPLE
PROCESSES
TECHNOLOGY

27. PROCESS DIAGRAM
Our transformational approach focusing on
enablement of people, process and technology.
INSIGHT
TRANSFORMATION
ROADMAP
ENABLEMENT
• People understanding
• Skills and capacity
• Process capability
• Technology availability
and capability
Design the business
response to ensure
effective and efficient
compliance
Prioritised investment
route map based on
business and IT
considerations in support
of defined architecture
Current
state
POPI vision
and strategy
People education
Process compliance
Technology capability

28. PROCESS DIAGRAM
Our transformational approach focusing on
enablement of people, process and technology.
INSIGHT
TRANSFORMATION
ROADMAP
ENABLEMENT
• People understanding
• Skills and capacity
• Process capability
• Technology availability
and capability
Design the business
response to ensure
effective and efficient
compliance
Prioritised investment
route map based on
business and IT
considerations in support
of defined architecture
Current
state
POPI vision
and strategy
People education
Process compliance
Technology capability

29. PROCESS DIAGRAM
Our transformational approach focusing on
enablement of people, process and technology.
Current
state
POPI vision
and strategy
People education
Process compliance
Technology capability
Status of
Enablement
Business and
compliance risks
Business
and risk
considerations
Costs and time
considerations
Business architecture
Information systems architecture
Technology architecture
People enablement

30. OVERVIEW
OUR APPROACH
OUR OFFERINGS
CONCLUSION

31. STRATEGY
POPI Strategy and
Implementation
Roadmap
Business case
development

32. TRAINING AND EDUCATION
POPI Act and
Implications
customised for
implemented
solutions

33. CHANGE & COMMUNICATION
Strategy & Planning
Development &
execution of awareness
campaigns

34. DATA
Data Audits,
Security &
Management

35. PROCESS & CONTENT
Process Solution Design &
Automation
Records Management assessment,
design & enablement
Security policy enablement
Content archival solutions
Content Governance
Document destruction services

36. OVERVIEW
OUR APPROACH
OUR OFFERINGS
CONCLUSION

37. LAWS AFFECTED BY POPI

38. ANY QUESTIONS?
THANK YOU FOR TAKING
THE TIME TO EDUCATE
YOURSELF ON POPI!