IK
Uploaded byImraan Kharwa
PPTX, PDF551 views

POPI Seminar FINAL

The document discusses the increasing need for data security and protection due to rising costs of data breaches. It outlines common forms of data breaches like phishing, hacking, and employee theft. Reasons for breaches include keeping too much data, unencrypted devices, poor access controls, and accidental sharing. The document then discusses data protection laws in South Africa and the EU, as well as how the Protection of Personal Information Act regulates how personal data is collected and processed in South Africa. Non-compliance can result in fines and jail time, so businesses must audit their data practices, limit processing, and respond to individual requests.

Downloaded 32 times
The Increasing need for data security  As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.  On average, South African companies that experienced a breach in the last 12 months reported a cost to their organisation of upwards of R 5.6 Million  According to AON, an estimated 70% of all South African Businesses are unprepared for cyber crimes and cyber liability
Source: www.businessinsider.com
Forms of data breaches Phishing (SARS, Banking) Credit card cloning (Hotels, Shopping) Weak/unsecure passwords (Name,786) Unauthorised employee access to sensitive information (Secretaries) Hacking (external/internal) Theft of information (employees/corporate espionage) Theft of devices (laptops/cellphones)
Causes of data breaches Keeping too much data around Failing to encrypt laptops, mobile devices and removable media. Poorly designed business processes. Accidental publishing to the web or email. Lack of appropriate access controls.
The need for data protection legislation  The need for personal data protection was first considered by a European Union Directive in 1995  In 2012 the E.U Adopted the European Data Protection Regulations amidst increasing data breaches and information leaks.  In line with International Standards, South Africa gazetted The Protection of Personal Information Act in November 2013  To date, the United States still has no unified law on personal data protection – leaving organisations, businesses and shadow agencies free to deal with personal information in anyway they see fit.  Edward Snowden (Ex-NSA) exposed the extent to which personal data is abused in the United States. Eg: Agents used data to track spouses, spy on neighbours, steal information off friends and colleagues.
A South African Perspective  The Bill of Rights: Section (14) “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed.”  The Protection of Personal Information Bill of 2009 and Act of 2013
Who does POPI apply to?  POPI applies to all businesses within the Republic of South Africa, including private and public bodies.  Certain bodies are specifically excluded from POPI, including the SAPS, when investigating crimes, and the Various Intelligence Agencies, when maintaining National Security.  Other exclusions set out in Section 4 of the Act include Information that is:  purely household or personal activity  sufficiently de-identified information  some state functions including criminal prosecutions, national security etc.  journalism under a code of ethics  judiciary functions
What is Personal Information? Contact details: email, telephone, address etc. Demographic information: age, sex, race, birth date, ethnicity etc. History: employment, financial, educational, criminal, medical history Biometric information: blood type, finger prints etc. Opinions of and about the person Private Correspondence etc.
How is Personal Information collected? Client or customer information forms Credit applications Online submission Registration forms Entry into competitions Cellular submissions Referrals from others * Sale of databases **
The Direct Marketing Dilemma “direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or requesting the data subject to make a donation of any kind for any reason;
Opt In VS Opt Out Old Standard: Automatically opt in and unsubscribe or SMS Stop to opt out VS POPI Standard: Explicitly opt in to receive direct marketing
Consent to data processing  ‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information  Opportunities to opt-out – 1. When the personal information is first collected; and 2. With each subsequent communication.
8 Processing Conditions  Accountability mandatory compliance with the Act and information regulator  Processing limitation data must be processed in fair and lawful manner  Purpose specification data must only be used for explicitly defined and legitimate reasons  Further processing limitation no allowed unless express permission is granted
Further Processing Conditions  Information quality must ensure that info is kept reliable, accurate and up to date  Openness data subject must be informed of all data collected, grant permission for usage  Security Safeguards safeguards must be implemented, physical and non physical – software  Data subject participation may request info, corrections, of misleading, false info, info to be deleted
Designated Information Officer  Every organisation is required in terms of the Act to appoint a designated Information Officer  Information Officer’s responsibilities include:  encouragement of compliance with the Conditions for the Lawful Processing of Personal Information;  dealing with requests pursuant to this Act; interaction with the Regulator; and  otherwise ensuring compliance with the provisions of the Act.  We recommend that the Information Officer appointed is someone in a high level position within the organisation
The Information Regulator  The Regulator’s powers, duties and functions are to:  provide education, including the promotion of understanding and acceptance of the Conditions of lawful processing of Personal Information;  monitor and enforce compliance through the powers vested in it by the legislation;  consult with interested parties on a national and international basis;  handle and investigate complaints;  conduct research and report to Parliament on international developments;  assist in the establishment and development of codes of conduct;  facilitate cross-border cooperation in the enforcement of privacy laws with other jurisdictions; and  generally do everything necessary to fulfil these duties, and foster a culture which protects personal information in South Africa.
Consequences of Non- compliance with POPI  Suffer reputational damage  Lose customers and fail to attract new ones  Pay out millions in damages to a civil class action  Be fined up to R10 million or face 10 years imprisonment
What does compliance entail?  Audit the processes used to collect, record, store, disseminate and destroy personal information. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.  Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose.  Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.  Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why.  Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
Further Compliance  Ensure information quality: the company processing the information must make sure the information is complete, accurate, up to date and not misleading or false.  Notify the information Protection Regulator: Organisations processing personal information will have to notify the Regulator about their actions once the regulations are in effect.  Accommodate data subject requests: POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information.  Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved.  Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa.
Frequently asked questions  I’m not a criminal or a terrorist, why does my information need to be protected?  How will the Protection of Personal Information Act be enforced?  Do I need to hire an additional staff member to be my Information Officer?  When do I need to get compliant with the Act?
How Smart Legal will help your business  Smart Legal has extensive expertise and experience in data protection policy and implementation within businesses  Our assessments along with policies are tailor made to your specific business’ needs and requirements  Our approach is unique, efficient and effective  Seminar Attendees will be entitled to a Free assessment on your business’ readiness for and compliance with POPI
Smart Legal Solutions for business Consumer Protection Protection Of Personal Information Labour Law Corporate Legal Solutions
Conclusion Thank you for your time: Contact: Imraan Kharwa Cell: 082 34 34 811 Landline: 031 207 3901 Email: imraan@smartlegal.co.za Social media: Linkedin: Smart Legal Twitter: @smartlegalbiz All Photo Credits: Images.google.com

More Related Content

PPTX
Popi act presentation
byKholisile Mazaza
 
PPSX
POPI Act compliance presentation
byOvationsGroup
 
PPTX
The Protection of Personal Information Act 4 of 2013
byMyron Duncan Burton Betshanger
 
PPTX
The Popi Act 4 of 2013 - Implications for iSCM
byMyron Duncan Burton Betshanger
 
PPTX
Protection of Personal Information Bill (POPI)
byRobert MacLean
 
PPTX
The Protection of Personal Information Act: A Presentation
byEndcode_org
 
PPTX
POPI Update 2013
byContact Centre Management Group
 
PDF
POPI
byPOPI ACT Protection of Personal Info
 
Popi act presentation
byKholisile Mazaza
 
POPI Act compliance presentation
byOvationsGroup
 
The Protection of Personal Information Act 4 of 2013
byMyron Duncan Burton Betshanger
 
The Popi Act 4 of 2013 - Implications for iSCM
byMyron Duncan Burton Betshanger
 
Protection of Personal Information Bill (POPI)
byRobert MacLean
 
The Protection of Personal Information Act: A Presentation
byEndcode_org
 
POPI Update 2013
byContact Centre Management Group
 
POPI
byPOPI ACT Protection of Personal Info
 

What's hot

PDF
Privacy and Data Security
byWilmerHale
 
PPTX
Data protection ppt
bygrahamwell
 
PPT
Data Protection Act
bymrmwood
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
PDF
Werksmans presentations on popi
byWerksmans Attorneys
 
PDF
Personal Data Protection Act - Employee Data Privacy
bylegalPadmin
 
PDF
Privacy and Data Protection in South Africa
byblogzilla
 
PPTX
Protection of Personal Information
byFrancois Naude Jr.
 
PDF
Cor concepts information governance-protection-of-personal-information-act-popi
byRobust Marketing & Consulting (Pty) Ltd
 
PPT
Safety And Security Of Data 4
byWynthorpe
 
PDF
Practical steps to take in preparation for the Protection of Personal Informa...
byWerksmans Attorneys
 
PDF
Saying "I Don't": the requirement of data subject consent for purposes of dat...
byWerksmans Attorneys
 
PPTX
POPI Seminar
byMarketing Durban Chamber
 
PPT
Data Protection Act
byYizi
 
PPT
Privacy and Data Security: Risk Management and Avoidance
byAmy Purcell
 
PPTX
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
byOvationsGroup
 
PPTX
Clyrofor popia readiness webinar
byLesedi Mnisi
 
PDF
Opportunities and benefits of POPI
byPOPI ACT Protection of Personal Info
 
PDF
Put your left leg in, put your left leg out: the exclusions and exemptions of...
byWerksmans Attorneys
 
Privacy and Data Security
byWilmerHale
 
Data protection ppt
bygrahamwell
 
Data Protection Act
bymrmwood
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
Werksmans presentations on popi
byWerksmans Attorneys
 
Personal Data Protection Act - Employee Data Privacy
bylegalPadmin
 
Privacy and Data Protection in South Africa
byblogzilla
 
Protection of Personal Information
byFrancois Naude Jr.
 
Cor concepts information governance-protection-of-personal-information-act-popi
byRobust Marketing & Consulting (Pty) Ltd
 
Safety And Security Of Data 4
byWynthorpe
 
Practical steps to take in preparation for the Protection of Personal Informa...
byWerksmans Attorneys
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
byWerksmans Attorneys
 
POPI Seminar
byMarketing Durban Chamber
 
Data Protection Act
byYizi
 
Privacy and Data Security: Risk Management and Avoidance
byAmy Purcell
 
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
byOvationsGroup
 
Clyrofor popia readiness webinar
byLesedi Mnisi
 
Opportunities and benefits of POPI
byPOPI ACT Protection of Personal Info
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
byWerksmans Attorneys
 

Similar to POPI Seminar FINAL

PPTX
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
PPTX
Data Privacy: Protecting Information in the Digital Age
bySajal Jain
 
PDF
Introduction to data protection
byRachel Aldighieri
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PDF
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
byFrank Dawson
 
PPTX
GDPR training
byASL
 
PPTX
An introduction to data protection - Manchester - 24/06/15
byRachel Aldighieri
 
PPTX
An introduction to data protection - 2/09/2015
byRachel Aldighieri
 
PDF
Ppt
byGareth Badrian
 
PPTX
Popi and Sharepoint 2010
byWillem Burger
 
PDF
Uchi data local presentation 2020
byChristo W. Meyer
 
PDF
2014-04-16 Protection of Personal Information Act Readiness Workshop
byPaul Jacobson
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PDF
POPI_Overview_E
bySamm V. Cooper - Dunstan
 
PDF
POPI_Overview_E
byBruce Hudson
 
PDF
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
PPTX
Introduction to data protection - Edinburgh - 29/04/15
byRachel Aldighieri
 
PPTX
Protection of Personal Information
byFrancois Naude Jr.
 
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
Data Privacy: Protecting Information in the Digital Age
bySajal Jain
 
Introduction to data protection
byRachel Aldighieri
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
3A – DATA PROTECTION: ADVICE
byCFG
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
byFrank Dawson
 
GDPR training
byASL
 
An introduction to data protection - Manchester - 24/06/15
byRachel Aldighieri
 
An introduction to data protection - 2/09/2015
byRachel Aldighieri
 
Ppt
byGareth Badrian
 
Popi and Sharepoint 2010
byWillem Burger
 
Uchi data local presentation 2020
byChristo W. Meyer
 
2014-04-16 Protection of Personal Information Act Readiness Workshop
byPaul Jacobson
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
POPI_Overview_E
bySamm V. Cooper - Dunstan
 
POPI_Overview_E
byBruce Hudson
 
2014-09-18 Protection of Personal Information Act readiness workshop
byPaul Jacobson
 
Introduction to data protection - Edinburgh - 29/04/15
byRachel Aldighieri
 
Protection of Personal Information
byFrancois Naude Jr.
 

POPI Seminar FINAL

  • 3.
    The Increasing needfor data security  As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.  On average, South African companies that experienced a breach in the last 12 months reported a cost to their organisation of upwards of R 5.6 Million  According to AON, an estimated 70% of all South African Businesses are unprepared for cyber crimes and cyber liability
  • 4.
  • 6.
    Forms of databreaches Phishing (SARS, Banking) Credit card cloning (Hotels, Shopping) Weak/unsecure passwords (Name,786) Unauthorised employee access to sensitive information (Secretaries) Hacking (external/internal) Theft of information (employees/corporate espionage) Theft of devices (laptops/cellphones)
  • 8.
    Causes of databreaches Keeping too much data around Failing to encrypt laptops, mobile devices and removable media. Poorly designed business processes. Accidental publishing to the web or email. Lack of appropriate access controls.
  • 9.
    The need fordata protection legislation  The need for personal data protection was first considered by a European Union Directive in 1995  In 2012 the E.U Adopted the European Data Protection Regulations amidst increasing data breaches and information leaks.  In line with International Standards, South Africa gazetted The Protection of Personal Information Act in November 2013  To date, the United States still has no unified law on personal data protection – leaving organisations, businesses and shadow agencies free to deal with personal information in anyway they see fit.  Edward Snowden (Ex-NSA) exposed the extent to which personal data is abused in the United States. Eg: Agents used data to track spouses, spy on neighbours, steal information off friends and colleagues.
  • 10.
    A South AfricanPerspective  The Bill of Rights: Section (14) “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized; or the privacy of their communications infringed.”  The Protection of Personal Information Bill of 2009 and Act of 2013
  • 11.
    Who does POPIapply to?  POPI applies to all businesses within the Republic of South Africa, including private and public bodies.  Certain bodies are specifically excluded from POPI, including the SAPS, when investigating crimes, and the Various Intelligence Agencies, when maintaining National Security.  Other exclusions set out in Section 4 of the Act include Information that is:  purely household or personal activity  sufficiently de-identified information  some state functions including criminal prosecutions, national security etc.  journalism under a code of ethics  judiciary functions
  • 12.
    What is PersonalInformation? Contact details: email, telephone, address etc. Demographic information: age, sex, race, birth date, ethnicity etc. History: employment, financial, educational, criminal, medical history Biometric information: blood type, finger prints etc. Opinions of and about the person Private Correspondence etc.
  • 13.
    How is PersonalInformation collected? Client or customer information forms Credit applications Online submission Registration forms Entry into competitions Cellular submissions Referrals from others * Sale of databases **
  • 14.
    The Direct MarketingDilemma “direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of – promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or requesting the data subject to make a donation of any kind for any reason;
  • 15.
    Opt In VSOpt Out Old Standard: Automatically opt in and unsubscribe or SMS Stop to opt out VS POPI Standard: Explicitly opt in to receive direct marketing
  • 16.
    Consent to dataprocessing  ‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information  Opportunities to opt-out – 1. When the personal information is first collected; and 2. With each subsequent communication.
  • 17.
    8 Processing Conditions Accountability mandatory compliance with the Act and information regulator  Processing limitation data must be processed in fair and lawful manner  Purpose specification data must only be used for explicitly defined and legitimate reasons  Further processing limitation no allowed unless express permission is granted
  • 18.
    Further Processing Conditions Information quality must ensure that info is kept reliable, accurate and up to date  Openness data subject must be informed of all data collected, grant permission for usage  Security Safeguards safeguards must be implemented, physical and non physical – software  Data subject participation may request info, corrections, of misleading, false info, info to be deleted
  • 19.
    Designated Information Officer Every organisation is required in terms of the Act to appoint a designated Information Officer  Information Officer’s responsibilities include:  encouragement of compliance with the Conditions for the Lawful Processing of Personal Information;  dealing with requests pursuant to this Act; interaction with the Regulator; and  otherwise ensuring compliance with the provisions of the Act.  We recommend that the Information Officer appointed is someone in a high level position within the organisation
  • 20.
    The Information Regulator The Regulator’s powers, duties and functions are to:  provide education, including the promotion of understanding and acceptance of the Conditions of lawful processing of Personal Information;  monitor and enforce compliance through the powers vested in it by the legislation;  consult with interested parties on a national and international basis;  handle and investigate complaints;  conduct research and report to Parliament on international developments;  assist in the establishment and development of codes of conduct;  facilitate cross-border cooperation in the enforcement of privacy laws with other jurisdictions; and  generally do everything necessary to fulfil these duties, and foster a culture which protects personal information in South Africa.
  • 21.
    Consequences of Non- compliancewith POPI  Suffer reputational damage  Lose customers and fail to attract new ones  Pay out millions in damages to a civil class action  Be fined up to R10 million or face 10 years imprisonment
  • 22.
    What does complianceentail?  Audit the processes used to collect, record, store, disseminate and destroy personal information. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.  Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose.  Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.  Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why.  Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
  • 23.
    Further Compliance  Ensureinformation quality: the company processing the information must make sure the information is complete, accurate, up to date and not misleading or false.  Notify the information Protection Regulator: Organisations processing personal information will have to notify the Regulator about their actions once the regulations are in effect.  Accommodate data subject requests: POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information.  Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved.  Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa.
  • 24.
    Frequently asked questions I’m not a criminal or a terrorist, why does my information need to be protected?  How will the Protection of Personal Information Act be enforced?  Do I need to hire an additional staff member to be my Information Officer?  When do I need to get compliant with the Act?
  • 25.
    How Smart Legalwill help your business  Smart Legal has extensive expertise and experience in data protection policy and implementation within businesses  Our assessments along with policies are tailor made to your specific business’ needs and requirements  Our approach is unique, efficient and effective  Seminar Attendees will be entitled to a Free assessment on your business’ readiness for and compliance with POPI
  • 26.
    Smart Legal Solutionsfor business Consumer Protection Protection Of Personal Information Labour Law Corporate Legal Solutions
  • 27.
    Conclusion Thank you foryour time: Contact: Imraan Kharwa Cell: 082 34 34 811 Landline: 031 207 3901 Email: [email protected] Social media: Linkedin: Smart Legal Twitter: @smartlegalbiz All Photo Credits: Images.google.com