SlideShare a Scribd company logo
1 of 26
Download to read offline
Protection of Personal
Information Bill
Agenda
 Going to cover most of the law
 Purpose to give an overview and provide a starting point for further discussion
and action
 This is not about the Protection of State Information Bill aka “Secrecy Bill”
Disclaimer
 I am not a lawyer (duh) – this is about a law – thus you should have a lawyer
check and work with you on this.
 We are talking about a bill, not an act.
 Not covered:
 The legal aspects about the regulator and information protection officers.
 Code of conduct aspects.
 Unsolicited Electronic Communications aspects.
Goal of the bill
To promote the protection of personal information processed by public and private
bodies; to introduce information protection principles so as to establish minimum
requirements for the processing of personal information; to provide for the
establishment of an Information Protection Regulator; to provide for the issuing of
codes of conduct; to provide for the rights of persons regarding unsolicited
electronic communications and automated decision making; to regulate the flow of
personal information across the borders of the Republic; and to provide for matters
connected therewith.
One Page View
CollectInformation
Must collect
direct from
person
Some
exclusion
apply
ProcessInformation
Process
means
anything
Some limits
on what you
can process
Retention
Keep for as
short a time
as possible
Deletion
Delete so it
is not
recoverable
Security
Reasonable
security
steps must
be taken
DataSubjectParticipation
You can find
out who has
your data
You can
change your
data
Notification
Notification
must be
given if there
is loss or
damage to
data
Enforcement
Punishments
Timelines
 Section 14 of the Constitution: Every has a right to privacy
 Bill created in 2009
 Seven drafts to date
 Expected to be enacted in three to six months1
 Companies will have between six and twelve months to put the law into place.
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login=
Who this applies to
 This is aimed at protecting the information of all citizens of the country – so you!
 Any company that processes or outsources data to third parties needs to
comply with it.
 As all organisations have information on staff, share holders etc… this means
all businesses are affected.
Who it doesn’t apply to
 is non-commercial, and non-governmental or related to household activities;
 has been de-identified to the extent that it cannot be re-identified again;
 is held by or on behalf of a public body, which involves national security or
deals with the identification of the proceeds of unlawful activities and the
combating of money laundering activities;
 is created exclusively for journalistic purposes.
What does it apply to?
‘‘processing’’ means any operation or activity or any set of operations, whether or
not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or
modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any
other form; or
(c) merging, linking, as well as blocking, degradation, erasure or destruction of
information;
Processing Limitations
 Must process lawfully
 Minimal set of data
 Relevant data only
 Give the purpose
 Consent must be given
 Required for the conclusion or performance of the contract
 You may opt out, at any time, and the processing must stop
Impact on the cloud?
 Applies to all people & companies that are within South Africa
and
 Applies to all people & companies that have systems that do processing in
South Africa
 There is additional consent need to store & process data outside of the borders
of the country
Collecting Information
has implications to further processing
 Must be collected directly from the data subject
 Except
 It is in a public record already
 The data subject has consented to collection from a third party
 Collection from a third party without consent, where it would not prejudice the data
subject
 Collection from a third party without consent where it is required
 For example getting a criminal record from the police
Retention
 Kept only for the processing
 Can be kept for longer if
 Required by law
 Required for functions/activities
 Agreed to in contract
 Historical, statistical or research provided appropriate safe guards
Retention for Decision Making
 Data must be retained for as long as the law says
 If there is not law, for a reasonable period
 This is so that access requests can be fulfilled
Destruction of Data
 Data must be destroyed ASAP
 Data must be destroyed in such a way it cannot be reconstructed
Security Measures
 Reasonable technical & organisational measures to prevent
 Loss of & damage to data
 Unlawful access
 What do you need to do
 Identify all risks (internal & external)
 Maintain & regularly validate safe guards
 Follow generally accepted information security practices
Notification of security compromises
 Must notify the regulator
 Must notify the data subject
 Must be done ASAP, except if instructured by SAPS, NIA or regulator to delay
 Notification must be done in one of the following ways
 Mailed to physical or postal address
 Emailed
 Placed on the web site
 Published in the news media
 As directed by the regulator
 Notification must contain enough information for the data subject to take protective measures
 Must, if known, contain the identity of the unauthorised person
Data Subject Participation
 A data subject, having provided adequate proof of identify, can request, free of
charge, if a company has information on them.
 A data subject, having provided adequate proof of identify, can request what the
information is & who it has been provided to.
 Reasonable cost can be applied but an estimate must be given first.
 Parts can be denied – requires compliance with grounds set out in PIPA
Data Modification
 A data subject can request the data to be changed or deleted
 The reasonable party must comply with it, and provide evidence of it.
You may not process parts of information
if they relate to
 Children
 data subject’s religious or philosophical beliefs, race or ethnic origin, trade
union membership, political opinions, health, sexual life or criminal behaviour.
 There are reasonable exceptions for example
 Religion: If the information is being processed by an organisation and the data
relates to belonging to that organisation. For example religious information &
churches
 Health: if the organisation is an insurance or medical organisation
Notification
 The regulator must be notified prior to initial processing, must include
 Name & address of who is using the data
 Purpose
 Description of data collected
 Who the data will be supplied to
 If it will leave South Africa
 Description of security measure
Enforcement
 Process: Complaint  Decision of Action  Investigation  Assessment 
Enforcement Notice  Appeal
 Can issue warrants and do search & seizure
 Offences: Obstruction, breach of confidentiality, failure to comply
 Penal sanctions: Imprisonment (up to 10 years) and/or fine
 Fine: R 10 million1
 Civil action can also be taken
1. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+B
Impact on other laws
Amendments & Repeals to
 Promotion of Access to Information Act, 2000
 ECT Act, 2002
 National Credit Act, 2005
Examples
 Blackberry with company information left on train & does not have a pin. The
company is at fault. 1
 Outsourced company doing storage of backups and loses the backup medium.
The backups contain customer information. The backup is not encrypted. The
company is at fault. 2
1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login
2. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+Bill
KPMG Cheat Sheet
 From:
http://www.kpmg.com/ZA/en/IssuesAndInsights/ArticlesPublications/Protection-
of-Personal-Information-Bill/Pages/default.aspx
 Broken down into the eight principals and has a number of easy to answer
questions about an organisation that can help comply.
Shorten List
 Have someone accountable in the organisation for the management of data, data information
policies & managing communication in this regard
 Have a document of data we collect
 Detail how & why it was collected, if further processing is needed and when it will be destroyed
 Include the why on the documents we use
 Educate staff on this
 Ensure we have security risk assessments for the data and that reasonable security is in place
in all areas
 Ensure people have a way to access & update their information

More Related Content

What's hot

Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Werksmans Attorneys
 
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...OvationsGroup
 
Clyrofor popia readiness webinar
Clyrofor  popia readiness webinarClyrofor  popia readiness webinar
Clyrofor popia readiness webinarLesedi Mnisi
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Werksmans Attorneys
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4Wynthorpe
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africablogzilla
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Werksmans Attorneys
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal InformationFrancois Naude Jr.
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacylegalPadmin
 
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Werksmans Attorneys
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarLance Michalson
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 

What's hot (19)

Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...Practical steps to take in preparation for the Protection of Personal Informa...
Practical steps to take in preparation for the Protection of Personal Informa...
 
Werksmans presentations on popi
Werksmans presentations on popiWerksmans presentations on popi
Werksmans presentations on popi
 
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
Ovations Group - Introducing the Protection of Personal Information (PoPI) ac...
 
Clyrofor popia readiness webinar
Clyrofor  popia readiness webinarClyrofor  popia readiness webinar
Clyrofor popia readiness webinar
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...Saying "I Don't": the requirement of data subject consent for purposes of dat...
Saying "I Don't": the requirement of data subject consent for purposes of dat...
 
Safety And Security Of Data 4
Safety And Security Of Data 4Safety And Security Of Data 4
Safety And Security Of Data 4
 
Privacy and Data Protection in South Africa
Privacy and Data Protection in South AfricaPrivacy and Data Protection in South Africa
Privacy and Data Protection in South Africa
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
POPI Seminar
POPI SeminarPOPI Seminar
POPI Seminar
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...Put your left leg in, put your left leg out: the exclusions and exemptions of...
Put your left leg in, put your left leg out: the exclusions and exemptions of...
 
Opportunities and benefits of POPI
Opportunities and benefits of POPIOpportunities and benefits of POPI
Opportunities and benefits of POPI
 
Protection of Personal Information
Protection of Personal InformationProtection of Personal Information
Protection of Personal Information
 
Personal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data PrivacyPersonal Data Protection Act - Employee Data Privacy
Personal Data Protection Act - Employee Data Privacy
 
EU GDPR (training)
EU GDPR (training)  EU GDPR (training)
EU GDPR (training)
 
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...Documents, documents and more documents - is it time to spring clean? - Ahmor...
Documents, documents and more documents - is it time to spring clean? - Ahmor...
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
Privacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminarPrivacy and Protection of Personal Information law seminar
Privacy and Protection of Personal Information law seminar
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 

Viewers also liked

How to give a great presentation
How to give a great presentationHow to give a great presentation
How to give a great presentationRobert MacLean
 
How to build a Mobile API or HTML 5 app in 5 minutes
How to build a Mobile API or HTML 5 app in 5 minutesHow to build a Mobile API or HTML 5 app in 5 minutes
How to build a Mobile API or HTML 5 app in 5 minutesRobert MacLean
 
Visual Studio: The best tool for web developers.
Visual Studio: The best tool for web developers.Visual Studio: The best tool for web developers.
Visual Studio: The best tool for web developers.Robert MacLean
 
Windows Store Apps: Tips & Tricks
Windows Store Apps: Tips & TricksWindows Store Apps: Tips & Tricks
Windows Store Apps: Tips & TricksRobert MacLean
 
Putting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/TestPutting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/TestRobert MacLean
 
Windows Azure Platform Overview
Windows Azure Platform OverviewWindows Azure Platform Overview
Windows Azure Platform OverviewRobert MacLean
 
DevConf Survival Guide
DevConf Survival GuideDevConf Survival Guide
DevConf Survival GuideRobert MacLean
 
Visual Studio ❤ JavaScript
Visual Studio ❤ JavaScriptVisual Studio ❤ JavaScript
Visual Studio ❤ JavaScriptRobert MacLean
 
The state of testing @ Microsoft
The state of testing @ MicrosoftThe state of testing @ Microsoft
The state of testing @ MicrosoftRobert MacLean
 
What’s new in LightSwitch 2013?
What’s new in LightSwitch 2013?What’s new in LightSwitch 2013?
What’s new in LightSwitch 2013?Robert MacLean
 
What’s new in Visual Studio 2012 & .NET 4.5
What’s new in Visual Studio 2012 & .NET 4.5What’s new in Visual Studio 2012 & .NET 4.5
What’s new in Visual Studio 2012 & .NET 4.5Robert MacLean
 

Viewers also liked (19)

Open Source Licensing
Open Source LicensingOpen Source Licensing
Open Source Licensing
 
JavaScript Toolkit
JavaScript ToolkitJavaScript Toolkit
JavaScript Toolkit
 
How to give a great presentation
How to give a great presentationHow to give a great presentation
How to give a great presentation
 
How to build a Mobile API or HTML 5 app in 5 minutes
How to build a Mobile API or HTML 5 app in 5 minutesHow to build a Mobile API or HTML 5 app in 5 minutes
How to build a Mobile API or HTML 5 app in 5 minutes
 
Visual Studio: The best tool for web developers.
Visual Studio: The best tool for web developers.Visual Studio: The best tool for web developers.
Visual Studio: The best tool for web developers.
 
Windows Store Apps: Tips & Tricks
Windows Store Apps: Tips & TricksWindows Store Apps: Tips & Tricks
Windows Store Apps: Tips & Tricks
 
Putting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/TestPutting the DOT in .NET - Dev/Ops/Test
Putting the DOT in .NET - Dev/Ops/Test
 
What is new in C# 6?
What is new in C# 6?What is new in C# 6?
What is new in C# 6?
 
Codename: Roslyn
Codename: RoslynCodename: Roslyn
Codename: Roslyn
 
Lightswitch
LightswitchLightswitch
Lightswitch
 
Windows 8
Windows 8Windows 8
Windows 8
 
Windows Azure Platform Overview
Windows Azure Platform OverviewWindows Azure Platform Overview
Windows Azure Platform Overview
 
DevConf Survival Guide
DevConf Survival GuideDevConf Survival Guide
DevConf Survival Guide
 
Visual Studio ❤ JavaScript
Visual Studio ❤ JavaScriptVisual Studio ❤ JavaScript
Visual Studio ❤ JavaScript
 
Welcome to the cloud
Welcome to the cloudWelcome to the cloud
Welcome to the cloud
 
The state of testing @ Microsoft
The state of testing @ MicrosoftThe state of testing @ Microsoft
The state of testing @ Microsoft
 
What’s new in LightSwitch 2013?
What’s new in LightSwitch 2013?What’s new in LightSwitch 2013?
What’s new in LightSwitch 2013?
 
WebMatrix
WebMatrixWebMatrix
WebMatrix
 
What’s new in Visual Studio 2012 & .NET 4.5
What’s new in Visual Studio 2012 & .NET 4.5What’s new in Visual Studio 2012 & .NET 4.5
What’s new in Visual Studio 2012 & .NET 4.5
 

Similar to Protection of Personal Information Bill (POPI)

What You Need To Know About Privacy Now!
What You Need To Know About Privacy   Now!What You Need To Know About Privacy   Now!
What You Need To Know About Privacy Now!catherinecoulter
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy   Now!What You Need To Know About Privacy   Now!
What You Need To Know About Privacy Now!catherinecoulter
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Data protection act new 13 12-11
Data protection act new 13 12-11Data protection act new 13 12-11
Data protection act new 13 12-11mrmwood
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection ActSaimaRafiq
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Forums financiers de Wallonie
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxpixvilx
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security:  What Every New Business Needs to KnowPrivacy and Information Security:  What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
How GDPR will change Personal Data Control and Affect Everyone
How GDPR will change Personal Data Control and Affect EveryoneHow GDPR will change Personal Data Control and Affect Everyone
How GDPR will change Personal Data Control and Affect EveryoneThomas Goubau
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActAnnie Hanson
 
Legislation
LegislationLegislation
Legislationmegabyte
 
Unit 40 Health &Amp; Social Care P3 P4 M2 D1 Essay
Unit 40 Health &Amp; Social Care P3 P4 M2 D1 EssayUnit 40 Health &Amp; Social Care P3 P4 M2 D1 Essay
Unit 40 Health &Amp; Social Care P3 P4 M2 D1 EssayRoxy Roberts
 

Similar to Protection of Personal Information Bill (POPI) (20)

What You Need To Know About Privacy Now!
What You Need To Know About Privacy   Now!What You Need To Know About Privacy   Now!
What You Need To Know About Privacy Now!
 
What You Need To Know About Privacy Now!
What You Need To Know About Privacy   Now!What You Need To Know About Privacy   Now!
What You Need To Know About Privacy Now!
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Data protection act new 13 12-11
Data protection act new 13 12-11Data protection act new 13 12-11
Data protection act new 13 12-11
 
The Data Protection Act
The Data Protection ActThe Data Protection Act
The Data Protection Act
 
Personal Data Protection in Malaysia
Personal Data Protection in MalaysiaPersonal Data Protection in Malaysia
Personal Data Protection in Malaysia
 
GDPR Demystified
GDPR Demystified GDPR Demystified
GDPR Demystified
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
GDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptxGDPRpresentationFeb-Apr2018.pptx
GDPRpresentationFeb-Apr2018.pptx
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security:  What Every New Business Needs to KnowPrivacy and Information Security:  What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
How GDPR will change Personal Data Control and Affect Everyone
How GDPR will change Personal Data Control and Affect EveryoneHow GDPR will change Personal Data Control and Affect Everyone
How GDPR will change Personal Data Control and Affect Everyone
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
GDPR Whitepaper
GDPR WhitepaperGDPR Whitepaper
GDPR Whitepaper
 
Legislation
LegislationLegislation
Legislation
 
Unit 40 Health &Amp; Social Care P3 P4 M2 D1 Essay
Unit 40 Health &Amp; Social Care P3 P4 M2 D1 EssayUnit 40 Health &Amp; Social Care P3 P4 M2 D1 Essay
Unit 40 Health &Amp; Social Care P3 P4 M2 D1 Essay
 

More from Robert MacLean

14 things you need to be a successful software developer (v3)
14 things you need to be a successful software developer (v3)14 things you need to be a successful software developer (v3)
14 things you need to be a successful software developer (v3)Robert MacLean
 
Building a µservice with Kotlin, Micronaut & GCP
Building a µservice with Kotlin, Micronaut & GCPBuilding a µservice with Kotlin, Micronaut & GCP
Building a µservice with Kotlin, Micronaut & GCPRobert MacLean
 
Features of Kotlin I find exciting
Features of Kotlin I find excitingFeatures of Kotlin I find exciting
Features of Kotlin I find excitingRobert MacLean
 
A Developer Day 2014 - Durban
A Developer Day 2014 - Durban A Developer Day 2014 - Durban
A Developer Day 2014 - Durban Robert MacLean
 
Agile lessons learned in the Microsoft ALM Rangers
Agile lessons learned in the Microsoft ALM RangersAgile lessons learned in the Microsoft ALM Rangers
Agile lessons learned in the Microsoft ALM RangersRobert MacLean
 
Hour of code - Train the trainer
Hour of code - Train the trainerHour of code - Train the trainer
Hour of code - Train the trainerRobert MacLean
 
Building services for apps on a shoestring budget
Building services for apps on a shoestring budgetBuilding services for apps on a shoestring budget
Building services for apps on a shoestring budgetRobert MacLean
 
3 things your app API is doing WRONG
3 things your app API is doing WRONG3 things your app API is doing WRONG
3 things your app API is doing WRONGRobert MacLean
 
Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012
Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012
Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012Robert MacLean
 
Win8 architecture for developers
Win8 architecture for developersWin8 architecture for developers
Win8 architecture for developersRobert MacLean
 

More from Robert MacLean (17)

14 things you need to be a successful software developer (v3)
14 things you need to be a successful software developer (v3)14 things you need to be a successful software developer (v3)
14 things you need to be a successful software developer (v3)
 
Git
GitGit
Git
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Building a µservice with Kotlin, Micronaut & GCP
Building a µservice with Kotlin, Micronaut & GCPBuilding a µservice with Kotlin, Micronaut & GCP
Building a µservice with Kotlin, Micronaut & GCP
 
Looking at the Vue
Looking at the VueLooking at the Vue
Looking at the Vue
 
Kotlin 101
Kotlin 101Kotlin 101
Kotlin 101
 
Features of Kotlin I find exciting
Features of Kotlin I find excitingFeatures of Kotlin I find exciting
Features of Kotlin I find exciting
 
JavaScript Gotchas
JavaScript GotchasJavaScript Gotchas
JavaScript Gotchas
 
A Developer Day 2014 - Durban
A Developer Day 2014 - Durban A Developer Day 2014 - Durban
A Developer Day 2014 - Durban
 
Agile lessons learned in the Microsoft ALM Rangers
Agile lessons learned in the Microsoft ALM RangersAgile lessons learned in the Microsoft ALM Rangers
Agile lessons learned in the Microsoft ALM Rangers
 
Hour of code - Train the trainer
Hour of code - Train the trainerHour of code - Train the trainer
Hour of code - Train the trainer
 
Building services for apps on a shoestring budget
Building services for apps on a shoestring budgetBuilding services for apps on a shoestring budget
Building services for apps on a shoestring budget
 
3 things your app API is doing WRONG
3 things your app API is doing WRONG3 things your app API is doing WRONG
3 things your app API is doing WRONG
 
ASP.NET
ASP.NETASP.NET
ASP.NET
 
LightSwitch
LightSwitchLightSwitch
LightSwitch
 
Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012
Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012
Techdays 2012 - What is new in .NET 4.5 & Visual Studio 2012
 
Win8 architecture for developers
Win8 architecture for developersWin8 architecture for developers
Win8 architecture for developers
 

Recently uploaded

Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfSourav Sikder
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakEditores1
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhangmcgroupjeya
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentationbaron83
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 

Recently uploaded (20)

Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerak
 
MC Heights construction company in Jhang
MC Heights construction company in JhangMC Heights construction company in Jhang
MC Heights construction company in Jhang
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 
MoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor PresentationMoneyBridge Pitch Deck - Investor Presentation
MoneyBridge Pitch Deck - Investor Presentation
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 

Protection of Personal Information Bill (POPI)

  • 2. Agenda  Going to cover most of the law  Purpose to give an overview and provide a starting point for further discussion and action  This is not about the Protection of State Information Bill aka “Secrecy Bill”
  • 3. Disclaimer  I am not a lawyer (duh) – this is about a law – thus you should have a lawyer check and work with you on this.  We are talking about a bill, not an act.  Not covered:  The legal aspects about the regulator and information protection officers.  Code of conduct aspects.  Unsolicited Electronic Communications aspects.
  • 4. Goal of the bill To promote the protection of personal information processed by public and private bodies; to introduce information protection principles so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Protection Regulator; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.
  • 5. One Page View CollectInformation Must collect direct from person Some exclusion apply ProcessInformation Process means anything Some limits on what you can process Retention Keep for as short a time as possible Deletion Delete so it is not recoverable Security Reasonable security steps must be taken DataSubjectParticipation You can find out who has your data You can change your data Notification Notification must be given if there is loss or damage to data Enforcement Punishments
  • 6. Timelines  Section 14 of the Constitution: Every has a right to privacy  Bill created in 2009  Seven drafts to date  Expected to be enacted in three to six months1  Companies will have between six and twelve months to put the law into place. 1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login=
  • 7. Who this applies to  This is aimed at protecting the information of all citizens of the country – so you!  Any company that processes or outsources data to third parties needs to comply with it.  As all organisations have information on staff, share holders etc… this means all businesses are affected.
  • 8. Who it doesn’t apply to  is non-commercial, and non-governmental or related to household activities;  has been de-identified to the extent that it cannot be re-identified again;  is held by or on behalf of a public body, which involves national security or deals with the identification of the proceeds of unlawful activities and the combating of money laundering activities;  is created exclusively for journalistic purposes.
  • 9. What does it apply to? ‘‘processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including— (a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking, as well as blocking, degradation, erasure or destruction of information;
  • 10. Processing Limitations  Must process lawfully  Minimal set of data  Relevant data only  Give the purpose  Consent must be given  Required for the conclusion or performance of the contract  You may opt out, at any time, and the processing must stop
  • 11. Impact on the cloud?  Applies to all people & companies that are within South Africa and  Applies to all people & companies that have systems that do processing in South Africa  There is additional consent need to store & process data outside of the borders of the country
  • 12. Collecting Information has implications to further processing  Must be collected directly from the data subject  Except  It is in a public record already  The data subject has consented to collection from a third party  Collection from a third party without consent, where it would not prejudice the data subject  Collection from a third party without consent where it is required  For example getting a criminal record from the police
  • 13. Retention  Kept only for the processing  Can be kept for longer if  Required by law  Required for functions/activities  Agreed to in contract  Historical, statistical or research provided appropriate safe guards
  • 14. Retention for Decision Making  Data must be retained for as long as the law says  If there is not law, for a reasonable period  This is so that access requests can be fulfilled
  • 15. Destruction of Data  Data must be destroyed ASAP  Data must be destroyed in such a way it cannot be reconstructed
  • 16. Security Measures  Reasonable technical & organisational measures to prevent  Loss of & damage to data  Unlawful access  What do you need to do  Identify all risks (internal & external)  Maintain & regularly validate safe guards  Follow generally accepted information security practices
  • 17. Notification of security compromises  Must notify the regulator  Must notify the data subject  Must be done ASAP, except if instructured by SAPS, NIA or regulator to delay  Notification must be done in one of the following ways  Mailed to physical or postal address  Emailed  Placed on the web site  Published in the news media  As directed by the regulator  Notification must contain enough information for the data subject to take protective measures  Must, if known, contain the identity of the unauthorised person
  • 18. Data Subject Participation  A data subject, having provided adequate proof of identify, can request, free of charge, if a company has information on them.  A data subject, having provided adequate proof of identify, can request what the information is & who it has been provided to.  Reasonable cost can be applied but an estimate must be given first.  Parts can be denied – requires compliance with grounds set out in PIPA
  • 19. Data Modification  A data subject can request the data to be changed or deleted  The reasonable party must comply with it, and provide evidence of it.
  • 20. You may not process parts of information if they relate to  Children  data subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.  There are reasonable exceptions for example  Religion: If the information is being processed by an organisation and the data relates to belonging to that organisation. For example religious information & churches  Health: if the organisation is an insurance or medical organisation
  • 21. Notification  The regulator must be notified prior to initial processing, must include  Name & address of who is using the data  Purpose  Description of data collected  Who the data will be supplied to  If it will leave South Africa  Description of security measure
  • 22. Enforcement  Process: Complaint  Decision of Action  Investigation  Assessment  Enforcement Notice  Appeal  Can issue warrants and do search & seizure  Offences: Obstruction, breach of confidentiality, failure to comply  Penal sanctions: Imprisonment (up to 10 years) and/or fine  Fine: R 10 million1  Civil action can also be taken 1. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+B
  • 23. Impact on other laws Amendments & Repeals to  Promotion of Access to Information Act, 2000  ECT Act, 2002  National Credit Act, 2005
  • 24. Examples  Blackberry with company information left on train & does not have a pin. The company is at fault. 1  Outsourced company doing storage of backups and loses the backup medium. The backups contain customer information. The backup is not encrypted. The company is at fault. 2 1. Webber Wentzel Attorneys: http://www.mondaq.com/404.asp?404;http://www.mondaq.com:80/x/184466/data+protection/POPI+Snapshot+Tougher+Laws+For+Privacy+Breaches&login 2. Webber Wentzel Attorneys: http://www.mondaq.com/x/189552/data+protection/POPI+Snapshot+Penalties+Under+The+Bill
  • 25. KPMG Cheat Sheet  From: http://www.kpmg.com/ZA/en/IssuesAndInsights/ArticlesPublications/Protection- of-Personal-Information-Bill/Pages/default.aspx  Broken down into the eight principals and has a number of easy to answer questions about an organisation that can help comply.
  • 26. Shorten List  Have someone accountable in the organisation for the management of data, data information policies & managing communication in this regard  Have a document of data we collect  Detail how & why it was collected, if further processing is needed and when it will be destroyed  Include the why on the documents we use  Educate staff on this  Ensure we have security risk assessments for the data and that reasonable security is in place in all areas  Ensure people have a way to access & update their information