Why the need for Privacy?
Data privacy
Protection of Private
Information Act:
Prepare, Protect and Prevent
Processing
personal
information
enables your
business
Processing
personal
information
enables your
business
Processing
personal
information
enables your
business
PoPI in a nutshell
Privacy questions to consider
Accountability
Comliance with the law
Processing limitation
• Process the minimum required personal
information, obtain it directly from the Data
Subject when possible obtain their consent
for processing
Purpose specification
• Collect personal information for a specific
purpose, retain it only for as long as required
and destroy securely once it is no longer
required
Further processing limitation
• Further processing of information must
be compatible with the original purpose of
collection
Information quality
• Personal information processed is complete,
accurate, not misleading and updated where
necessary
Global outlook
Openness
• Personal information processing operations
are documented and publicly available
The diverse and complex privacy landscape makes
effective privacy risk management and compliance
a big challenge for organisations. Significant
discrepancies exist in the laws across jurisdictions, as
shown in the diagram below.
Security safeguards
• Security measures are in place to safeguard
information processed by the Responsible
Party or their third parties. Breaches
should be communicated to the Information
Regulator and the Data Subjects
2016
Data subject participation
Other significant privacy laws in place
National privacy or data protection law in place
Emerging privacy or data laws
No privacy or data protection law in place
The South African reality
The Protection of
Personal Information
Act, No. 4 of 2013 (PoPI)
was signed into law on
26 November 2013. In
April 2014, provisions
for establishing the
Information Regulator
(sections 1, 39 to
54 and 112 and
113) commenced.
Nominations for
appointing the five
members of the
Information Regulator
were closed on 14
August 2015. Once the
Information Regulator
is established, they will
give notice in the Gazette
of operation dates for
further sections of
PoPI. Organisations will
have one year from the
gazetted date to comply
with these requirements.
PoPI will have a
significant impact on the
control environments
of organisations that
process Personal
Information: from
amending contractual
agreements with
employees, vendors
and suppliers, to the
implementation of
technical information
security measures to
protect information
processed by an
organisation. The
definition of processing
by PoPI is wide: it refers
to all stages of the
Personal Information
lifecycle: from collection
to destruction of
information.
• Data Subjects can inquire about the Personal
Information held by the Responsible Party
and can request the correction or deletion
of that information when it is incorrect or no
longer relevant
Value of getting it right
What can go wrong
• Protect brand, reputation and
customer confidence
• Enhance customer experience,
drive sales, margin and
shareholder value
• Achieve and maintain legal
and regulatory compliance.
Minimise risk of regulator fines
• Enhance employee trust by
respecting their personal data
• Minimise data incidents and
associated management costs
• Awareness of thecontrols used
by third party suppliers
• Enable business with countries
with data protection laws (e.g.
EU countries)
• According to the Ponemon Institute*, the
value of brand and reputation could decline as
much as 17 percent to over 31 percent
• Tax-related identity theft was the most
common form of identity theft (33% of overall
complaints) reported to the U.S. Federal Trade
Commission in 2014. It costs the U.S. Internal
Revenue Service billions of dollars every year:
$5.2B loss and $24.2B cases detected on
time in 2014
• The loss of an unencrypted, non-password
protected, portable hard drive storing
prisoner information resulted to the regulator
imposing a £180,000 fine to the UK Ministry
of Justice.
• In 2013 SA banks suffered tens of millions
of losses due to a major breach of customer
credit card data that originated from fast food
merchants IT infrastructure
• The UK Information Commissioner fined
NHS Surrey with £200,000 for not ensuring
that the third party they used for destroying
old hard drives was complying with the UK
regulation
• The new EU General Data Protection
Regulation will have jurisdiction over foreign
companies active in the European market
which “handle Europeans’ personal data
abroad”. No compliance may have great
impact
• PoPI provisions
• Criminal penalties
• Administrative penalties
• Enforcement notices
*Ponemon Institute, Reputation Impact of a Data Breach, November 2011
Marketing
Human
Resources
Procurement
Suppliers
IT and
Security
Cross border
data
transfers
• Do you use data to analyse trends in consumer
behaviour?
• Do you use data obtained from social media or
applications to learn more about your consumers?
• Are you targeting specific groups of consumers?
• Do you collect sensitive personal data such as race ,
disabilities or medical information?
• Do you have privacy notices in your contracts?
• Do you collect information on minors /
beneficiaries?
• Do you share employee information with suppliers
such as health insurance companies and provident
funds?
• What agreements with third parties do you have in
place to ensure that they are protecting your data
appropriately?
• How do you gain assurance over third parties?
• What personal information do you store? Where?
Who has access to it? Do you encrypt it?
• What is the overall state of information security in
your organisation?
• Do you have an Information Security Framework and
is it implemented across the organisation?
• Do you get assurance from the performance of
Information Security in your organisation?
• Are you sending personal data (including employee
data) outside South Africa? Do you have appropriate
mechanisms to do so?
If any of these questions raise concerns, you should conduct a Privacy
Impact Assessment to assess your privacy risks.
What should organisations be doing?
Current
state
assessment
• Understand your current compliance position and
undertake a Privacy Impact Assessments where
appropriate
• Assess your key gaps against the requirements of
PoPI and prioritise them based on risk
Privacy
improvement
programme
• Develop a prioritised plan for
remediation based on risk to your
organisation and identify quick wins
• Implement remediation activities
Monitoring
and
assurance
• Establish data protection monitoring
for core business operations and
third parties (e.g., regular audits,
develop metrics and dashboards)
EY privacy services
Privacy is not simply about understanding the law: it is also about
implementing it. EY has the breadth of skillset to assist you in this
journey. We have experience in the following areas
• Privacy Impact Assessments
• Privacy compliance roadmaps
• Privacy frameworks
• Personal information inventories
• Control environment improvement
• Training and Awareness workshops
• Consultation on contracts: privacy clauses and terms and
conditions
• Broad skillset in the Cyber Security area:
• Information security framework reviews and
implementation
• Documentation of policies and procedures
• Technical information security reviews (attack and
penetration testing, vulnerability management,
configuration reviews)
• Privacy control review and assurance
1
Identify and
diagnose
2
Design and
implement
3
Assure
Contacts:
Raghuvansh Swami | Director | Advisory Services
Office: +27 11 772 3752 | Mobile: +27 83 611 1212
Email: [email protected]
Yvette du Toit| Senior Manager | Advisory Services – Data Privacy
Office: +27 11 772 3265 | Mobile: +27 82 719 1821
Email: [email protected]
Why EY?
• EY has a team of over 200 Certified Information Privacy
Professionals (CIPPs) who have developed methodologies to help
organisations understand what risks exist to data privacy and
compliance.
• For over a decade, EY has been assisting international
organisations with understanding privacy and data protection
risk, compliance and regulations and helping them effectively
manage the use of personal information within their
organisation.
• We draw on our global privacy team to bring insights on
legislation and regulation across the world.
• We have published a number of Privacy Thought Leadership.
• ‘EY was rated equal highest in Forrester’s Information Security
Consulting Services Wave in terms of its privacy services’ The
Forrester Wave™: Information Security Consulting Services, Q1
2013, Forrester Research, Inc.