Loading presentation...
Prezi is an interactive zooming presentation

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

POPI and Business

Challenges, Impacts & Opportunities
by

Garth Watson

on 25 November 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of POPI and Business

POPI and Business
POPI at a high level
Gives effect to
constitutional right to privacy
Some legal definitions...
"Data subject":

the person to whom personal information relates.
Conditions for lawful processing
1. Accountability
Condition 2: Processing Limitation
The

consent
of the data subject must be obtained
Condition 1: Accountability
The obligation of ensuring compliance with the conditions in POPI belongs to the
responsible party...
Challenges, Impacts
and Opportunities

The first comprehensive privacy legislation in SA
"Personal Information":
information relating to persons (natural or juristic)

"Responsible Party"
: the a public or private body or any other person... ... which determines the purpose of and means for processing personal information
"Processing"
:

2. Processing limitation
3. Purpose specification
4. Further processing limitation
5. Information quality
6. Openness
recording
recording
collection
receipt
organisation
collation
storage
updating
modification
alteration
consultation
use
dissemination

merging
linking
restriction
degradation
erasure
destruction
recording
retrieval
"Special Personal Information"
: religious or philosophical beliefs, political persuasion, health or sex life or biometric information, criminal behavior whether offenses or proceedings
When does PI
not
have to be collected directly from a data subject?
Consent by the data subject
It is necessary to comply with a law, for court proceedings or in the interests of national security
To enforce legislation concerning the collection of taxes
Condition 3: Purpose Specification
PI must be collected for a
specific
,
explicitly defined
and lawful purpose related to a
function or activity
of the responsible party
The condition of
openess
must be maintained
PI must be kept only as long as is
necessary
and it must be
secure
Condition 6: Openness
All processing operations must be
documented
"Reasonably practicable"
steps must be taken to ensure that the data subject is aware certain facts relating to his/her/its PI
Condition 4: Further processing limitation
Further processing must be
compatible
with the purpose of collection
to
publicly available
information
Condition 5: Information Quality
"Reasonably practicable" steps must be taken to ensure that PI is complete, accurate, not misleading and updated where this is necessary
The purpose for which the information is collected must be regarded
if the processing
necessary
to comply with a law, for court proceedings or in the interests of
national security
To enforce legislation for the collection of
tax
This does not apply:
Condition 7: Security Safeguards
Reasonable, appropriate, technical
and
organisational
measures to prevent
loss, damage, or unlawful access or processing.
identification of all internal and external risks
establishing and maintaining appropriate safeguards
regularly verify that safeguards are implemented
continual updating in response to new risks
The Regulator must be notified of any security compromises.
Condition 8: Data subject participation
A data subject may request, free of charge, whether or not a responsible party holds PI concerning him or her
The data subject may, at a prescribed fee, request a record or description of the PI
The data subject may request corrections or deletion of the PI insofar as it is incorrect or is being processed unlawfully
And how does enforcement work?
Transgressions of most obligations in POPI are not offences
A regulator has been established to ensure the enforcement of POPI
People may lodge complaints with the regulator who must then investigate and if necessary, issue an enforcement notice
it is an offence not to comply with an enforcement notice
Is POPI in force yet?
How long do we have?
POPI is now finally an
Act of Parliament
It is not yet in force though - the President will have to bring it into force by
proclamation
in the
Government Gazette
Once this happens we have
twelve months
to comply
Are there good business reasons to ensure PI is handled well?
ISO 27001 - an information security management system
Designed to prevent the negligent disclosure of Personal Information
Systemetised efficiency - turns the burden of compliance into a business necessity
Based on ISO 9001 - Quality
Organising security controls
Making sure the controls work
"Information officer"
:
the CEO or equivalent officer or any person duly authorised by that officer.
"Operator"
:
the person who processes personal information in terms of a contract or mandate.
...at the time of determining the purpose and means of processing PI and during the processing of PI
Whether PI has been transferred a foreign country or international organisation
The
level of protection
afforded to the PI by that foreign country or international organisation
They say that if more than one person knows a secret...
Competitive advantage - credibility, even required by suppliers
Quality assurance (international best practice)
lower insurance premiums
The sections relating to the
Regulator
have been brought into force to enable its establishment
The conditions in POPI are very similar, if not identical to...
SAFE HARBOUR CONDITIONS
Notice

Choice

Onward Transfer

Security

Data Integrity

Access

Enforcement

"Consent"
:
any
voluntary
,
specific
and
informed
expression of will to process personal information
processing of PI must be
necessary
for performance of a
contract
to which the data subject is a party
Processing
must protect a legitimate interest
of the data subject
necessary
for pursuing the
legitimate interest
of the responsible party
PI Must be
collected directly
from the data subject
the information collected and if from a public source, where it
was obtained from
your name and address
the purpose of collection
right to access, rectify, and object to the processing of PI
"Reasonably practicable"
Obliged to take steps
that are reasonably practicable
This pops up again and again in POPI
It's an objective test, the standard of reasonableness
Commercial reasonableness
Corner Café vs Medical Scheme
PI Security Risk Assessment
it's not a secret anymore!
whether by automated means or not
any operation or activity, or set of operations
concerning PI
very widely defined
garth@gunstons.com - gunstons.com/category/popi-act-summary/ follow us
Trans-border Information flows
You may not transfer PI to a 3rd party in another country unless the 3rd party receiving the PI:

is subject to a law, binding corporate rules or a binding agreement

which uphold and is effectively similar to POPI (including onward transborder transfer obligations)

OR

Consent or contract

OR

The transfer is to the benefit of the data-subject (not reasonably practicable to obtain consent and they would consent anyway)
Direct Marketing
Processing PI for direct marketing is banned unless
consent
has been obtained (or unless the data subject is a
customer
).

If a customer PI may only be processed:

if contact details must have been obtained in the
context
of the sale of a product of service

for the purpose of marketing the the responsible party's own similar products or services

if the data subject has had regular and easy chances to opt-out

One shot at gaining opt in:
If a data subject has not
previously withheld
consent, then you may approach the data subject
only once
to obtain consent (in the prescribed manner and form).
7. Security safeguards
8. Data subject participation
Where to from here? (DIY and other steps)
Identifying purpose, functions, and uses of PI

Document how PI is handled

Privacy policy

Contracts

Risk assessments

Reasonably practicable opinions

Security audit

ISMS implementation
How is Personal Information Processed in my company?
This relates to
direct marketing
Condition 6: Openness (continued)
privacy policy necessary
processing complies an obligation imposed by
law
to approach a data subject (either in person or by mail or
electronic communication
...

for the
direct of indirect
purpose of...

promoting
or
offering to supply
... ...any goods or services or

requesting
donation
of any kind for any reason
This involves:
Thank you very much!
Full transcript