SlideShare a Scribd company logo

POPI Seminar FINAL

Download as PPTX, PDF
I
Imraan Kharwa
1 of 27
The Increasing need for data security  As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.  On average, South African companies that experienced a breach in the last 12 months reported a cost to their organisation of upwards of R 5.6 Million  According to AON, an estimated 70% of all South African Businesses are unprepared for cyber crimes and cyber liability
Source: www.businessinsider.com
Forms of data breaches Phishing (SARS, Banking) Credit card cloning (Hotels, Shopping) Weak/unsecure passwords (Name,786) Unauthorised employee access to sensitive information (Secretaries) Hacking (external/internal) Theft of information (employees/corporate espionage) Theft of devices (laptops/cellphones)
Causes of data breaches Keeping too much data around Failing to encrypt laptops, mobile devices and removable media. Poorly designed business processes. Accidental publishing to the web or email. Lack of appropriate access controls.
The need for data protection legislation  The need for personal data protection was first considered by a European Union Directive in 1995  In 2012 the E.U Adopted the European Data Protection Regulations amidst increasing data breaches and information leaks.  In line with International Standards, South Africa gazetted The Protection of Personal Information Act in November 2013  To date, the United States still has no unified law on personal data protection – leaving organisations, businesses and shadow agencies free to deal with personal information in anyway they see fit.  Edward Snowden (Ex-NSA) exposed the extent to which personal data is abused in the United States. Eg: Agents used data to track spouses, spy on neighbours, steal information off friends and colleagues.
A South African Perspective  The Bill of Rights: Section (14) “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed.”  The Protection of Personal Information Bill of 2009 and Act of 2013
Who does POPI apply to?  POPI applies to all businesses within the Republic of South Africa, including private and public bodies.  Certain bodies are specifically excluded from POPI, including the SAPS, when investigating crimes, and the Various Intelligence Agencies, when maintaining National Security.  Other exclusions set out in Section 4 of the Act include Information that is:  purely household or personal activity  sufficiently de-identified information  some state functions including criminal prosecutions, national security etc.  journalism under a code of ethics  judiciary functions
What is Personal Information? Contact details: email, telephone, address etc. Demographic information: age, sex, race, birth date, ethnicity etc. History: employment, financial, educational, criminal, medical history Biometric information: blood type, finger prints etc. Opinions of and about the person Private Correspondence etc.
How is Personal Information collected? Client or customer information forms Credit applications Online submission Registration forms Entry into competitions Cellular submissions Referrals from others * Sale of databases **
The Direct Marketing Dilemma “direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or requesting the data subject to make a donation of any kind for any reason;
Opt In VS Opt Out Old Standard: Automatically opt in and unsubscribe or SMS Stop to opt out VS POPI Standard: Explicitly opt in to receive direct marketing
Consent to data processing  ‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information  Opportunities to opt-out – 1. When the personal information is first collected; and 2. With each subsequent communication.
8 Processing Conditions  Accountability mandatory compliance with the Act and information regulator  Processing limitation data must be processed in fair and lawful manner  Purpose specification data must only be used for explicitly defined and legitimate reasons  Further processing limitation no allowed unless express permission is granted
Further Processing Conditions  Information quality must ensure that info is kept reliable, accurate and up to date  Openness data subject must be informed of all data collected, grant permission for usage  Security Safeguards safeguards must be implemented, physical and non physical – software  Data subject participation may request info, corrections, of misleading, false info, info to be deleted
Designated Information Officer  Every organisation is required in terms of the Act to appoint a designated Information Officer  Information Officer’s responsibilities include:  encouragement of compliance with the Conditions for the Lawful Processing of Personal Information;  dealing with requests pursuant to this Act; interaction with the Regulator; and  otherwise ensuring compliance with the provisions of the Act.  We recommend that the Information Officer appointed is someone in a high level position within the organisation
The Information Regulator  The Regulator’s powers, duties and functions are to:  provide education, including the promotion of understanding and acceptance of the Conditions of lawful processing of Personal Information;  monitor and enforce compliance through the powers vested in it by the legislation;  consult with interested parties on a national and international basis;  handle and investigate complaints;  conduct research and report to Parliament on international developments;  assist in the establishment and development of codes of conduct;  facilitate cross-border cooperation in the enforcement of privacy laws with other jurisdictions; and  generally do everything necessary to fulfil these duties, and foster a culture which protects personal information in South Africa.
Consequences of Non- compliance with POPI  Suffer reputational damage  Lose customers and fail to attract new ones  Pay out millions in damages to a civil class action  Be fined up to R10 million or face 10 years imprisonment
What does compliance entail?  Audit the processes used to collect, record, store, disseminate and destroy personal information. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.  Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose.  Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.  Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why.  Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
Further Compliance  Ensure information quality: the company processing the information must make sure the information is complete, accurate, up to date and not misleading or false.  Notify the information Protection Regulator: Organisations processing personal information will have to notify the Regulator about their actions once the regulations are in effect.  Accommodate data subject requests: POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information.  Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved.  Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa.
Frequently asked questions  I’m not a criminal or a terrorist, why does my information need to be protected?  How will the Protection of Personal Information Act be enforced?  Do I need to hire an additional staff member to be my Information Officer?  When do I need to get compliant with the Act?
How Smart Legal will help your business  Smart Legal has extensive expertise and experience in data protection policy and implementation within businesses  Our assessments along with policies are tailor made to your specific business’ needs and requirements  Our approach is unique, efficient and effective  Seminar Attendees will be entitled to a Free assessment on your business’ readiness for and compliance with POPI
Smart Legal Solutions for business Consumer Protection Protection Of Personal Information Labour Law Corporate Legal Solutions
Conclusion Thank you for your time: Contact: Imraan Kharwa Cell: 082 34 34 811 Landline: 031 207 3901 Email: imraan@smartlegal.co.za Social media: Linkedin: Smart Legal Twitter: @smartlegalbiz All Photo Credits: Images.google.com

Recommended

Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
POPI Update 2013
POPI Update 2013POPI Update 2013
POPI Update 2013Contact Centre Management Group
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentationOvationsGroup
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMMyron Duncan Burton Betshanger
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationEndcode_org
 
The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013Myron Duncan Burton Betshanger
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentationKholisile Mazaza
 
POPI
POPI POPI
POPI POPI ACT Protection of Personal Info
 

Recommended

Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Protection of Personal Information Bill (POPI)
Protection of Personal Information Bill (POPI)Robert MacLean
 
POPI Update 2013
POPI Update 2013POPI Update 2013
POPI Update 2013Contact Centre Management Group
 
POPI Act compliance presentation
POPI Act compliance presentationPOPI Act compliance presentation
POPI Act compliance presentationOvationsGroup
 
The Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMThe Popi Act 4 of 2013 - Implications for iSCM
The Popi Act 4 of 2013 - Implications for iSCMMyron Duncan Burton Betshanger
 
The Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationThe Protection of Personal Information Act: A Presentation
The Protection of Personal Information Act: A PresentationEndcode_org
 
The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013The Protection of Personal Information Act 4 of 2013
The Protection of Personal Information Act 4 of 2013Myron Duncan Burton Betshanger
 
Popi act presentation
Popi act presentationPopi act presentation
Popi act presentationKholisile Mazaza
 
POPI
POPI POPI
POPI POPI ACT Protection of Personal Info
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popiWerksmans Attorneys
 
POPI Seminar
POPI SeminarPOPI Seminar
POPI SeminarMarketing Durban Chamber
 
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...OvationsGroup
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
Opportunities and benefits of POPI
Opportunities and benefits of POPIOpportunities and benefits of POPI
Opportunities and benefits of POPIPOPI ACT Protection of Personal Info
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacylegalPadmin
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiRobust Marketing & Consulting (Pty) Ltd
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 

More Related Content

What's hot

Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...OvationsGroup
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacylegalPadmin
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiRobust Marketing & Consulting (Pty) Ltd
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Actmrmwood
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 

What's hot (19)

Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
 
POPI Seminar
POPI SeminarPOPI Seminar
POPI Seminar
 
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
 
Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4
 
Opportunities and benefits of POPI
Opportunities and benefits of POPIOpportunities and benefits of POPI
Opportunities and benefits of POPI
 
Clyrofor popia readiness webinar
Clyrofor popia readiness webinarClyrofor popia readiness webinar
Clyrofor popia readiness webinar
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal Information
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africa
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popi
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 

Similar to POPI Seminar FINAL

CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentDonald E. Hester
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysiakhenghoe
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Patrick Doyle
 
Privacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in AlbertaPrivacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in AlbertaVolunteer Alberta
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in NigeriaMercy Akinseinde
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
Privacy and Civil Liberties
Privacy and Civil LibertiesPrivacy and Civil Liberties
Privacy and Civil LibertiesUpekha Vandebona
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18Fife Centre for Equalities
 

Similar to POPI Seminar FINAL (20)

CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015Training innovations information governance slideshare 2015
Training innovations information governance slideshare 2015
 
Privacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in AlbertaPrivacy Information for Nonprofit Organizations in Alberta
Privacy Information for Nonprofit Organizations in Alberta
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in Nigeria
 
4514611.ppt
4514611.ppt4514611.ppt
4514611.ppt
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!What You Need To Know About Privacy Now!
What You Need To Know About Privacy Now!
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Privacy and Civil Liberties
Privacy and Civil LibertiesPrivacy and Civil Liberties
Privacy and Civil Liberties
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
1307 Privacy Act
1307 Privacy Act1307 Privacy Act
1307 Privacy Act
 
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
FCE Briefing GDPR and Equal Opportunities Monitoring MAY18
 

POPI Seminar FINAL

  • 1.
  • 2.
  • 3. The Increasing need for data security  As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.  On average, South African companies that experienced a breach in the last 12 months reported a cost to their organisation of upwards of R 5.6 Million  According to AON, an estimated 70% of all South African Businesses are unprepared for cyber crimes and cyber liability
  • 5.
  • 6. Forms of data breaches Phishing (SARS, Banking) Credit card cloning (Hotels, Shopping) Weak/unsecure passwords (Name,786) Unauthorised employee access to sensitive information (Secretaries) Hacking (external/internal) Theft of information (employees/corporate espionage) Theft of devices (laptops/cellphones)
  • 7.
  • 8. Causes of data breaches Keeping too much data around Failing to encrypt laptops, mobile devices and removable media. Poorly designed business processes. Accidental publishing to the web or email. Lack of appropriate access controls.
  • 9. The need for data protection legislation  The need for personal data protection was first considered by a European Union Directive in 1995  In 2012 the E.U Adopted the European Data Protection Regulations amidst increasing data breaches and information leaks.  In line with International Standards, South Africa gazetted The Protection of Personal Information Act in November 2013  To date, the United States still has no unified law on personal data protection – leaving organisations, businesses and shadow agencies free to deal with personal information in anyway they see fit.  Edward Snowden (Ex-NSA) exposed the extent to which personal data is abused in the United States. Eg: Agents used data to track spouses, spy on neighbours, steal information off friends and colleagues.
  • 10. A South African Perspective  The Bill of Rights: Section (14) “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed.”  The Protection of Personal Information Bill of 2009 and Act of 2013
  • 11. Who does POPI apply to?  POPI applies to all businesses within the Republic of South Africa, including private and public bodies.  Certain bodies are specifically excluded from POPI, including the SAPS, when investigating crimes, and the Various Intelligence Agencies, when maintaining National Security.  Other exclusions set out in Section 4 of the Act include Information that is:  purely household or personal activity  sufficiently de-identified information  some state functions including criminal prosecutions, national security etc.  journalism under a code of ethics  judiciary functions
  • 12. What is Personal Information? Contact details: email, telephone, address etc. Demographic information: age, sex, race, birth date, ethnicity etc. History: employment, financial, educational, criminal, medical history Biometric information: blood type, finger prints etc. Opinions of and about the person Private Correspondence etc.
  • 13. How is Personal Information collected? Client or customer information forms Credit applications Online submission Registration forms Entry into competitions Cellular submissions Referrals from others * Sale of databases **
  • 14. The Direct Marketing Dilemma “direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or requesting the data subject to make a donation of any kind for any reason;
  • 15. Opt In VS Opt Out Old Standard: Automatically opt in and unsubscribe or SMS Stop to opt out VS POPI Standard: Explicitly opt in to receive direct marketing
  • 16. Consent to data processing  ‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information  Opportunities to opt-out – 1. When the personal information is first collected; and 2. With each subsequent communication.
  • 17. 8 Processing Conditions  Accountability mandatory compliance with the Act and information regulator  Processing limitation data must be processed in fair and lawful manner  Purpose specification data must only be used for explicitly defined and legitimate reasons  Further processing limitation no allowed unless express permission is granted
  • 18. Further Processing Conditions  Information quality must ensure that info is kept reliable, accurate and up to date  Openness data subject must be informed of all data collected, grant permission for usage  Security Safeguards safeguards must be implemented, physical and non physical – software  Data subject participation may request info, corrections, of misleading, false info, info to be deleted
  • 19. Designated Information Officer  Every organisation is required in terms of the Act to appoint a designated Information Officer  Information Officer’s responsibilities include:  encouragement of compliance with the Conditions for the Lawful Processing of Personal Information;  dealing with requests pursuant to this Act; interaction with the Regulator; and  otherwise ensuring compliance with the provisions of the Act.  We recommend that the Information Officer appointed is someone in a high level position within the organisation
  • 20. The Information Regulator  The Regulator’s powers, duties and functions are to:  provide education, including the promotion of understanding and acceptance of the Conditions of lawful processing of Personal Information;  monitor and enforce compliance through the powers vested in it by the legislation;  consult with interested parties on a national and international basis;  handle and investigate complaints;  conduct research and report to Parliament on international developments;  assist in the establishment and development of codes of conduct;  facilitate cross-border cooperation in the enforcement of privacy laws with other jurisdictions; and  generally do everything necessary to fulfil these duties, and foster a culture which protects personal information in South Africa.
  • 21. Consequences of Non- compliance with POPI  Suffer reputational damage  Lose customers and fail to attract new ones  Pay out millions in damages to a civil class action  Be fined up to R10 million or face 10 years imprisonment
  • 22. What does compliance entail?  Audit the processes used to collect, record, store, disseminate and destroy personal information. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.  Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose.  Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.  Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why.  Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
  • 23. Further Compliance  Ensure information quality: the company processing the information must make sure the information is complete, accurate, up to date and not misleading or false.  Notify the information Protection Regulator: Organisations processing personal information will have to notify the Regulator about their actions once the regulations are in effect.  Accommodate data subject requests: POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information.  Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved.  Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa.
  • 24. Frequently asked questions  I’m not a criminal or a terrorist, why does my information need to be protected?  How will the Protection of Personal Information Act be enforced?  Do I need to hire an additional staff member to be my Information Officer?  When do I need to get compliant with the Act?
  • 25. How Smart Legal will help your business  Smart Legal has extensive expertise and experience in data protection policy and implementation within businesses  Our assessments along with policies are tailor made to your specific business’ needs and requirements  Our approach is unique, efficient and effective  Seminar Attendees will be entitled to a Free assessment on your business’ readiness for and compliance with POPI
  • 26. Smart Legal Solutions for business Consumer Protection Protection Of Personal Information Labour Law Corporate Legal Solutions
  • 27. Conclusion Thank you for your time: Contact: Imraan Kharwa Cell: 082 34 34 811 Landline: 031 207 3901 Email: imraan@smartlegal.co.za Social media: Linkedin: Smart Legal Twitter: @smartlegalbiz All Photo Credits: Images.google.com