FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
POPI Seminar FINAL
1.
2.
3. The Increasing need for data
security
As revealed in the 2014 Cost of Data Breach
Study: Global Analysis, sponsored by IBM, the
average cost to a company was $3.5 million in
US dollars and 15 percent more than what it
cost last year.
On average, South African companies that
experienced a breach in the last 12 months
reported a cost to their organisation of upwards
of R 5.6 Million
According to AON, an estimated 70% of all
South African Businesses are unprepared for
cyber crimes and cyber liability
6. Forms of data breaches
Phishing (SARS, Banking)
Credit card cloning (Hotels, Shopping)
Weak/unsecure passwords (Name,786)
Unauthorised employee access to sensitive information (Secretaries)
Hacking (external/internal)
Theft of information (employees/corporate espionage)
Theft of devices (laptops/cellphones)
7.
8. Causes of data breaches
Keeping too
much data
around
Failing to encrypt
laptops, mobile
devices and
removable media.
Poorly designed
business
processes.
Accidental
publishing to the
web or email.
Lack of
appropriate
access controls.
9. The need for data protection
legislation
The need for personal data protection was first considered by a
European Union Directive in 1995
In 2012 the E.U Adopted the European Data Protection
Regulations amidst increasing data breaches and information
leaks.
In line with International Standards, South Africa gazetted The
Protection of Personal Information Act in November 2013
To date, the United States still has no unified law on personal data
protection – leaving organisations, businesses and shadow
agencies free to deal with personal information in anyway they
see fit.
Edward Snowden (Ex-NSA) exposed the extent to which personal
data is abused in the United States. Eg: Agents used data to
track spouses, spy on neighbours, steal information off friends and
colleagues.
10. A South African Perspective
The Bill of Rights: Section (14) “Everyone
has the right to privacy, which includes
the right not to have their person or
home searched; their property
searched; their possessions seized;
or the privacy of their
communications infringed.”
The Protection of Personal Information
Bill of 2009 and Act of 2013
11. Who does POPI apply to?
POPI applies to all businesses within the Republic of South
Africa, including private and public bodies.
Certain bodies are specifically excluded from POPI,
including the SAPS, when investigating crimes, and the
Various Intelligence Agencies, when maintaining National
Security.
Other exclusions set out in Section 4 of the Act include
Information that is:
purely household or personal activity
sufficiently de-identified information
some state functions including criminal
prosecutions, national security etc.
journalism under a code of ethics
judiciary functions
12. What is Personal Information?
Contact details: email, telephone, address
etc.
Demographic information: age, sex, race,
birth date, ethnicity etc.
History: employment, financial, educational,
criminal, medical history
Biometric information: blood type, finger
prints etc.
Opinions of and about the person
Private Correspondence etc.
13. How is Personal Information
collected?
Client or
customer
information
forms
Credit
applications
Online
submission
Registration
forms
Entry into
competitions
Cellular
submissions
Referrals from
others *
Sale of
databases **
14. The Direct Marketing Dilemma
“direct marketing” means to approach a
data subject, either in person or by mail or
electronic communication, for the direct
or indirect purpose of –
promoting or offering to supply, in the
ordinary course of business,
any goods or services to the data subject;
or
requesting the data subject to make a
donation of any kind for any
reason;
15. Opt In VS Opt Out
Old Standard: Automatically opt in and
unsubscribe or SMS Stop to opt out
VS
POPI Standard: Explicitly opt in to
receive direct marketing
16. Consent to data processing
‘‘Consent’’ means any voluntary, specific
and informed expression of will in terms of
which permission is given for the
processing of personal information
Opportunities to opt-out –
1. When the personal information is first
collected; and
2. With each subsequent communication.
17. 8 Processing Conditions
Accountability
mandatory compliance with the Act and
information regulator
Processing limitation
data must be processed in fair and lawful manner
Purpose specification
data must only be used for explicitly defined and
legitimate reasons
Further processing limitation
no allowed unless express permission is granted
18. Further Processing Conditions
Information quality
must ensure that info is kept reliable, accurate and up to
date
Openness
data subject must be informed of all data collected, grant
permission for usage
Security Safeguards
safeguards must be implemented, physical and non
physical – software
Data subject participation
may request info, corrections, of misleading, false info, info
to be deleted
19. Designated Information Officer
Every organisation is required in terms of the Act to
appoint a designated Information Officer
Information Officer’s responsibilities include:
encouragement of compliance with the Conditions for
the Lawful Processing of Personal Information;
dealing with requests pursuant to this Act; interaction with
the Regulator; and
otherwise ensuring compliance with the provisions of the
Act.
We recommend that the Information Officer appointed is
someone in a high level position within the organisation
20. The Information Regulator
The Regulator’s powers, duties and functions are to:
provide education, including the promotion of understanding and acceptance
of the Conditions of lawful processing of Personal Information;
monitor and enforce compliance through the powers vested in it by the
legislation;
consult with interested parties on a national and international basis;
handle and investigate complaints;
conduct research and report to Parliament on international developments;
assist in the establishment and development of codes of conduct;
facilitate cross-border cooperation in the enforcement of privacy laws with
other jurisdictions; and
generally do everything necessary to fulfil these duties, and foster a culture
which protects personal information in South Africa.
21. Consequences of Non-
compliance with POPI
Suffer reputational damage
Lose customers and fail to attract
new ones
Pay out millions in damages to a civil
class action
Be fined up to R10 million or face 10
years imprisonment
22. What does compliance entail?
Audit the processes used to collect, record, store, disseminate and
destroy personal information. They must take steps to prevent the
information being lost or damaged, or unlawfully accessed.
Define the purpose of the information gathering and processing:
personal information must be collected for a specific, explicitly defined
and lawful purpose.
Limit the processing parameters: the processing must be lawful and
personal information may only be processed if it is adequate, relevant
and not excessive given the purpose for which it is processed.
Take steps to notify the ‘data subject’: the individual whose
information is being processed has the right to know this is being done
and why.
Check the rationale for any further processing: if information is
received via a third party for further processing, this further processing
must be compatible with the purpose for which the data was initially
collected.
23. Further Compliance
Ensure information quality: the company processing the information
must make sure the information is complete, accurate, up to date
and not misleading or false.
Notify the information Protection Regulator: Organisations processing
personal information will have to notify the Regulator about their
actions once the regulations are in effect.
Accommodate data subject requests: POPI allows data subjects to
make certain requests, free of charge, to organisations holding their
personal information. For instance, the data subject has the right to
know the identity of all third parties that have had access to their
information.
Retain records for required periods: personal information must be
destroyed, deleted or ‘de-identified’ as soon as the purpose for
collecting the information has been achieved.
Cross border data transfer: there are restrictions on the sending of
personal information out of South Africa as well as on the transfer of
personal information back into South Africa.
24. Frequently asked questions
I’m not a criminal or a terrorist, why does
my information need to be protected?
How will the Protection of Personal
Information Act be enforced?
Do I need to hire an additional staff
member to be my Information Officer?
When do I need to get compliant with the
Act?
25. How Smart Legal will help your business
Smart Legal has extensive expertise and
experience in data protection policy and
implementation within businesses
Our assessments along with policies are tailor
made to your specific business’ needs and
requirements
Our approach is unique, efficient and effective
Seminar Attendees will be entitled to a Free
assessment on your business’ readiness for
and compliance with POPI
26. Smart Legal Solutions for business
Consumer Protection
Protection Of Personal
Information
Labour Law
Corporate Legal
Solutions
27. Conclusion
Thank you for your time:
Contact: Imraan Kharwa
Cell: 082 34 34 811
Landline: 031 207 3901
Email: imraan@smartlegal.co.za
Social media:
Linkedin: Smart Legal
Twitter: @smartlegalbiz
All Photo Credits: Images.google.com