2024 03 13 AZ GOP LD4 Gen Meeting Minutes_FINAL.docx
Practical steps to prepare for POPI
1. Practical steps to take in
preparation for the
Protection of Personal
Information Bill
Cross Border Data Transfer
Tammy Bortz
2. Introduction
POPI – very specific about how PI must be processed
No question that POPI will in some way impact most businesses in
RSA
Not yet law but given the implementation period 1 year (proposal of
3) organization's need to start preparing now
International experience – anything between 3 to five years
Need to be practical
3. WHY COMPLY?
Non-compliance can have adverse consequences –
Civil remedies: institute civil action for damages,
aggravated damages, interest and legal costs
Penalties: include imprisonment and a fine
Administrative fines (up to R1 million)
Adverse publicity, potentially leading to reputational
damage
Increased regulatory scrutiny
King III – good governance includes governance of
information and technology - “information governance”
Global Business? Compliance will aid commerce
4. So…where to begin
Obvious starting point: does the organisation need to
comply with POPI?
There are very few that don’t! Although some more than
others
Need to consider in light of two important definitions in
POPI
“PERSONAL INFORMATION”
“PROCESS”
5. “Personal information”
"personal information" means information relating to an identifiable, living,
natural person, and where it is applicable, an identifiable, existing juristic
person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status,
national, ethnic or social origin, colour, sexual orientation, age, physical or
mental health, well-being, disability, religion, conscience, belief, culture,
language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or
employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address,
telephone number or other particular assignment to the person;
(d) the blood type or any other biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a
private or confidential nature or further correspondence that would reveal the
contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information
relating to the person or if the disclosure of the name itself would reveal
information about the person;
6. “Processing”
“processing" means any operation or activity or any set
of operations, whether or not by automatic means,
concerning personal information, including —
(a) the collection, receipt, recording, organisation,
collation, storage, updating or modification, retrieval,
alteration, consultation or use;
(b) dissemination by means of transmission,
distribution or making available in any other form; or
(c) merging, linking, as well as blocking, degradation,
erasure or destruction of information
7. Responsible Party v. Operator
"Responsible Party" “Operator” means a
means a public or private person who processes
body or any other person personal information for a
which, alone or in responsible party in terms
conjunction with others, of a contract or mandate,
determines the purpose of without coming under the
and means for processing direct authority of that
personal information party
More extensive obligations Credit card processing
under POPI
Data storage
IT service providers
(physical and virtual)
8. Role Players
Critical to have buy in from the role players given the extensive scope of the exercise
Internal and external role players
Global company: need to involve all jurisdictions in which company operates (especially
where cross border data transfer)
Look at type of business to identify who the key players are – requires an in-depth
understanding of the business and the many ways in which PI is processed
Internal Role Players
Board of Directors/senior management (CEO, CIO, COO, FD etc)
IT (internal) - integral given that implementation will to a large degree involve IT
system changes
Risk and Compliance officer/Legal
HR
Sales
Marketing
External Role Players
IT service providers (especially those who process PI of the company’s employees,
customers etc)
Auditors
Lawyers
9. Audit/Due Diligence
Who should do this?
Internal v. External?
Depends on -
Scope of audit (size of organisation)
Budget
Need for audit to be objective?
Internal capacity and expertise
Must have in depth understand POPI and other applicable legislation
Experience and understanding of how to conduct audit and the
necessary assessment techniques – questionnaires, workshops,
interviews, presentation of findings etc
10. Project Plan
Prepare a “project plan”.
Project manager
Fundamental to have this in place -
Purpose of the audit – to ultimately ensure POPI (and other data
privacy legislation) compliance
Scope (which areas of the business will be covered/which
departments etc – local and foreign)
Role players and their specific tasks
Deliverables with time lines
Meetings/governance
Ultimate aim: to be able to prepare a comprehensive policy
regulating processing of PI within the organisation
11. What next?
Once decided on scope of audit, benefits to preparing a
questionnaire that is distributed to identified
departments/ staff/role players.
Level of complexity of questionnaire will depend on level
of staff understanding of requirements (i.e, purpose of
the questionnaire, why detailed and well considered
answers are important).
Recommend: initial and if necessary follow up workshop
where POPI and purpose of audit explained.
Best method: combination of well considered
questionnaire and face to face interviews with key
players
12. The Questionnaire
Prepared in such a way so that given can ultimately can
prepare a comprehensive data protection and management
policy.
Useful to have guidance notes explaining what the
organisation is looking for in terms of an answer.
Want a questionnaire that will elicit the most comprehensive
and useful responses and minimise need for follow up
interviews.
Questionnaire will in certain instances need to be adapted for
the department in question.
May also need to include external business partners in this
process insofar as they process PI.
Dedicated team/panel for this process.
13. The Questionnaire
What [Personal Information] do you [process] ?
Give examples -
questionnaire to HR cite examples of PI as any health details, disciplinary
records, payroll details
questionnaire to IT providers cite examples of PI as cookies, email
addresses, bank details (if online trading offering)
Please provide templates/copies of all contracts (internal and external),
standard terms of business, policies (including any data protection policies),
procedures, manuals etc
Where and for how long is data stored? Is there a documented retention and
destruction policy. If yes, please provide a copy
Is PI collected directly or indirectly from relevant individuals, and if so, by
which medium is it collected (in hard copy form, by telephone, over the
internet etc..).
What security processes and procedures are in place, both in respect of data
when static and when in motion?
Is there a data security policy. If yes, please provide a copy
14. The Questionnaire cont…..
Does PI collected/requested exceed the purposes for which it was
collected (for example, if the PI was collected for the purposes of selling
a cell phone, it is not relevant to know the religion or have any details
about the individuals health).
Do we have procedures in place to ensure that PI is kept accurate for the
period of retention (for example, prompting online customers to update
their details every six months).
Do we outsource any processing of PI to a third party and if yes, do we
have any contracts in place with such third parties?
If yes, do these contracts regulate how such service providers must
protect and process such information?
Do we receive PI from foreign jurisdictions and if yes, from where?
Do we transmit PI to foreign jurisdictions and if yes, to where?
Do we have any documented Rules for cross border data transfer?
Direct marketing: what consents do we have in place
15. Next Steps?
Collate answers
Start to prepare policy
May require follow up questionnaires, interviews
Ongoing process
16. Cross Border Data Transfer
Major issue – seen as one of the impediments to global trade
Two components –
Can personal data be transferred outside South Africa
Can personal data be returned to South Africa
Transfer out
Common law: may require consent of data owner
PPI: place restrictions on cross border data transfer (Section 74 of
the PPI)
Transfer in
Will need to consider laws of particular jurisdiction in which the data is
held. Many countries have restrictions such as UK, Switzerland,
Ireland, Australia etc..
17. Cross Border Data Transfer
International developments
New EU Regulation
USA: USA Consumer Data Privacy framework