Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
POPI and Business
Transcript of POPI and Business
POPI at a high level
Gives effect to
constitutional right to privacy
Some legal definitions...
the person to whom personal information relates.
Conditions for lawful processing
Condition 2: Processing Limitation
of the data subject must be obtained
Condition 1: Accountability
The obligation of ensuring compliance with the conditions in POPI belongs to the
The first comprehensive privacy legislation in SA
information relating to persons (natural or juristic)
: the a public or private body or any other person... ... which determines the purpose of and means for processing personal information
2. Processing limitation
3. Purpose specification
4. Further processing limitation
5. Information quality
"Special Personal Information"
: religious or philosophical beliefs, political persuasion, health or sex life or biometric information, criminal behavior whether offenses or proceedings
When does PI
have to be collected directly from a data subject?
Consent by the data subject
It is necessary to comply with a law, for court proceedings or in the interests of national security
To enforce legislation concerning the collection of taxes
Condition 3: Purpose Specification
PI must be collected for a
and lawful purpose related to a
function or activity
of the responsible party
The condition of
must be maintained
PI must be kept only as long as is
and it must be
Condition 6: Openness
All processing operations must be
steps must be taken to ensure that the data subject is aware certain facts relating to his/her/its PI
Condition 4: Further processing limitation
Further processing must be
with the purpose of collection
Condition 5: Information Quality
"Reasonably practicable" steps must be taken to ensure that PI is complete, accurate, not misleading and updated where this is necessary
The purpose for which the information is collected must be regarded
if the processing
to comply with a law, for court proceedings or in the interests of
To enforce legislation for the collection of
This does not apply:
Condition 7: Security Safeguards
Reasonable, appropriate, technical
measures to prevent
loss, damage, or unlawful access or processing.
identification of all internal and external risks
establishing and maintaining appropriate safeguards
regularly verify that safeguards are implemented
continual updating in response to new risks
The Regulator must be notified of any security compromises.
Condition 8: Data subject participation
A data subject may request, free of charge, whether or not a responsible party holds PI concerning him or her
The data subject may, at a prescribed fee, request a record or description of the PI
The data subject may request corrections or deletion of the PI insofar as it is incorrect or is being processed unlawfully
And how does enforcement work?
Transgressions of most obligations in POPI are not offences
A regulator has been established to ensure the enforcement of POPI
People may lodge complaints with the regulator who must then investigate and if necessary, issue an enforcement notice
it is an offence not to comply with an enforcement notice
Is POPI in force yet?
How long do we have?
POPI is now finally an
Act of Parliament
It is not yet in force though - the President will have to bring it into force by
Once this happens we have
Are there good business reasons to ensure PI is handled well?
ISO 27001 - an information security management system
Designed to prevent the negligent disclosure of Personal Information
Systemetised efficiency - turns the burden of compliance into a business necessity
Based on ISO 9001 - Quality
Organising security controls
Making sure the controls work
the CEO or equivalent officer or any person duly authorised by that officer.
the person who processes personal information in terms of a contract or mandate.
...at the time of determining the purpose and means of processing PI and during the processing of PI
Whether PI has been transferred a foreign country or international organisation
level of protection
afforded to the PI by that foreign country or international organisation
They say that if more than one person knows a secret...
Competitive advantage - credibility, even required by suppliers
Quality assurance (international best practice)
lower insurance premiums
The sections relating to the
have been brought into force to enable its establishment
The conditions in POPI are very similar, if not identical to...
SAFE HARBOUR CONDITIONS
expression of will to process personal information
processing of PI must be
for performance of a
to which the data subject is a party
must protect a legitimate interest
of the data subject
for pursuing the
of the responsible party
PI Must be
from the data subject
the information collected and if from a public source, where it
was obtained from
your name and address
the purpose of collection
right to access, rectify, and object to the processing of PI
Obliged to take steps
that are reasonably practicable
This pops up again and again in POPI
It's an objective test, the standard of reasonableness
Corner Café vs Medical Scheme
PI Security Risk Assessment
it's not a secret anymore!
whether by automated means or not
any operation or activity, or set of operations
very widely defined
firstname.lastname@example.org - gunstons.com/category/popi-act-summary/ follow us
Trans-border Information flows
You may not transfer PI to a 3rd party in another country unless the 3rd party receiving the PI:
is subject to a law, binding corporate rules or a binding agreement
which uphold and is effectively similar to POPI (including onward transborder transfer obligations)
Consent or contract
The transfer is to the benefit of the data-subject (not reasonably practicable to obtain consent and they would consent anyway)
Processing PI for direct marketing is banned unless
has been obtained (or unless the data subject is a
If a customer PI may only be processed:
if contact details must have been obtained in the
of the sale of a product of service
for the purpose of marketing the the responsible party's own similar products or services
if the data subject has had regular and easy chances to opt-out
One shot at gaining opt in:
If a data subject has not
consent, then you may approach the data subject
to obtain consent (in the prescribed manner and form).
7. Security safeguards
8. Data subject participation
Where to from here? (DIY and other steps)
Identifying purpose, functions, and uses of PI
Document how PI is handled
Reasonably practicable opinions
How is Personal Information Processed in my company?
This relates to
Condition 6: Openness (continued)
processing complies an obligation imposed by
to approach a data subject (either in person or by mail or
direct of indirect
offering to supply
... ...any goods or services or
of any kind for any reason
Thank you very much!