This document discusses the Protection of Personal Information (POPI) Act in South Africa and how it will impact companies. It provides an overview of POPI, explaining that it establishes conditions for lawful processing of personal information, including collection, processing limitations, data security, and rights of the data subject. The document also outlines an approach for companies to become compliant with POPI through transforming people, processes, and technology using insight, roadmapping, and enablement. Offerings are provided around strategy, training, change management, data management, and processes.
3. A BACKGROUND ON PRIVACY
Olmstead case – basis of our understanding of privacy
Important because information has become easily accessible:
46% increase from 2010
Crime committed:
– every 3.5 minutes in NYC
– every 2.5 minutes in Tokyo
– every 3 seconds an identity stolen online
Highest number of cybercrime victims worldwide:
– 92% RUSSIA
– 84% CHINA
– 80% SOUTH AFRICA
Greater revenue than drug trade
Mobile growth sparks increase
5. WHAT IS POPI?
Right to be left alone
Enshrined in sect 14 of Constitution
Balances right of privacy with other rights, in particular access to
information
Prescribes minimum processing requirements
Provides remedies to abuse of PI
Protects free flow of information
International harmony
6. THE PROTECTION OF PERSONAL INFORMATION
(POPI) ACT WILL HAVE AN IMPACT ON ALMOST
EVERY COMPANY OPERATING IN SA?
DID YOU KNOW:
7. THE POPI ACT WILL
ESTABLISH A
CODE OF CONDUCT
FOR CONFIDENTIAL
HANDLING OF
PERSONAL
INFORMATION
8. CONDITIONS FOR LAWFUL
PROCESSING OF PERSONAL INFORMATION
Collection of data (Accountability)
Processing limitations
Retention & Deletion of data (Purpose Specification)
Further Processing of Data
Data security (Security Safeguards)
Data subject participation
Notification (Openness)
8
Information Quality
9. COLLECTION OF DATA
Information must be
collected directly from
the individual
Exceptions:
– Public records
– Consent given to a third party
– Law enforcement
10. COLLECTION OF DATA
The person must be
aware of the purpose
for collecting their
personal information
and give consent
There is additional
consent needed
to store and process
data outside of South
Africa
20. DATA SUBJECT PARTICIPATION
A person must be able to:
Find who has their data
Request a copy of all
personal information held
by an organisation
Request amendments or
deletion of their data,
and receive proof this
has been done
******
****
21. NOTIFICATION
Reasonable steps must be taken to ensure that the data
subject is aware of breaches to information
Data Subjects must be supplied with information:
– How collected
– Contact details of Responsible Party
– Purpose and Consequences
– Laws authorising or requiring collection of information
– When the Responsible party intends to send the
information to a third party or across international
borders, including level of protection
– Any further information
24. EXCEPTIONS
Processed for purely personal or household
activities
De-identified Personal Information
Processed for National security defence or public
safety
Processed in investigating and prosecuting crime
Cabinet and EC of Provinces
Exemptions granted by Regulator
Journalistic purposes
26. OUR APPROACH
We can help companies define a
strategy and roadmap to become
compliant with the POPI Act.
We provide a complete and holistic
execution that interweaves the key
areas of PEOPLE
PROCESSES
TECHNOLOGY
27. PROCESS DIAGRAM
Our transformational approach focusing on
enablement of people, process and technology.
INSIGHT
TRANSFORMATION
ROADMAP
ENABLEMENT
• People understanding
• Skills and capacity
• Process capability
• Technology availability
and capability
Design the business
response to ensure
effective and efficient
compliance
Prioritised investment
route map based on
business and IT
considerations in support
of defined architecture
Current
state
POPI vision
and strategy
People education
Process compliance
Technology capability
28. PROCESS DIAGRAM
Our transformational approach focusing on
enablement of people, process and technology.
INSIGHT
TRANSFORMATION
ROADMAP
ENABLEMENT
• People understanding
• Skills and capacity
• Process capability
• Technology availability
and capability
Design the business
response to ensure
effective and efficient
compliance
Prioritised investment
route map based on
business and IT
considerations in support
of defined architecture
Current
state
POPI vision
and strategy
People education
Process compliance
Technology capability
29. PROCESS DIAGRAM
Our transformational approach focusing on
enablement of people, process and technology.
Current
state
POPI vision
and strategy
People education
Process compliance
Technology capability
Status of
Enablement
Business and
compliance risks
Business
and risk
considerations
Costs and time
considerations
Business architecture
Information systems architecture
Technology architecture
People enablement