The Increasing need for data security As revealed in the 2014 Cost of Data Breach Study:

Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

On average, South African companies that experienced a breach in the last 12 months reported a cost to their organisation of upwards of R 5.6 Million

According to AON, an estimated 70% of all South African Businesses are unprepared for cyber crimes and cyber liability

Source: www.businessinsider.com

Forms of data breachesPhishing (SARS, Banking)

Credit card cloning (Hotels, Shopping)

Weak/unsecure passwords (Name,786)

Unauthorised employee access to sensitive information (Secretaries)

Hacking (external/internal)

Theft of information (employees/corporate espionage)

Theft of devices (laptops/cellphones)

Causes of data breaches

Keeping too much data

around

Failing to encrypt laptops, mobile

devices and removable media.

Poorly designed business

processes.

Accidental publishing to the

web or email.

Lack of appropriate

access controls.

The need for data protection legislation

The need for personal data protection was first considered by a European Union Directive in 1995

In 2012 the E.U Adopted the European Data Protection Regulations amidst increasing data breaches and information leaks.

In line with International Standards, South Africa gazetted The Protection of Personal Information Act in November 2013

To date, the United States still has no unified law on personal data protection – leaving organisations, businesses and shadow agencies free to deal with personal information in anyway they see fit.

Edward Snowden (Ex-NSA) exposed the extent to which personal data is abused in the United States. Eg: Agents used data to track spouses, spy on neighbours, steal information off friends and colleagues.

A South African Perspective

The Bill of Rights: Section (14) “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized;

or the privacy of their communications infringed.”

The Protection of Personal Information Bill of 2009 and Act of 2013

Who does POPI apply to? POPI applies to all businesses within the Republic of South Africa,

including private and public bodies.

Certain bodies are specifically excluded from POPI, including the SAPS, when investigating crimes, and the Various Intelligence Agencies, when maintaining National Security.

Other exclusions set out in Section 4 of the Act include Information that is:

purely household or personal activity sufficiently de-identified information some state functions including criminal prosecutions,

national security etc. journalism under a code of ethics judiciary functions

What is Personal Information?

Contact details: email, telephone, address etc.

Demographic information: age, sex, race, birth date, ethnicity etc.

History: employment, financial, educational, criminal, medical history

Biometric information: blood type, finger prints etc.

Opinions of and about the person

Private Correspondence etc.

How is Personal Information collected?

Client or customer

information forms

Credit applications

Online submission

Registration forms

Entry into competitions

Cellular submissions

Referrals from others *

Sale of databases **

The Direct Marketing Dilemma

“direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –

promoting or offering to supply, in the ordinary course of business,any goods or services to the data subject; or

requesting the data subject to make a donation of any kind for anyreason;

Opt In VS Opt Out

Old Standard: Automatically opt in and unsubscribe or SMS Stop to opt out

VS

POPI Standard: Explicitly opt in to receive direct marketing

Consent to data processing

‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Opportunities to opt-out –

1. When the personal information is first collected; and

2. With each subsequent communication.

8 Processing Conditions Accountability

mandatory compliance with the Act and information regulator

Processing limitationdata must be processed in fair and lawful manner

Purpose specificationdata must only be used for explicitly defined and legitimate reasons

Further processing limitationno allowed unless express permission is granted

Further Processing Conditions

Information qualitymust ensure that info is kept reliable, accurate and up to date

Opennessdata subject must be informed of all data collected, grant permission for usage

Security Safeguardssafeguards must be implemented, physical and non physical – software

Data subject participationmay request info, corrections, of misleading, false info, info to be deleted

Designated Information Officer Every organisation is required in terms of the Act to appoint a

designated Information Officer

Information Officer’s responsibilities include:

encouragement of compliance with the Conditions for the Lawful Processing of Personal Information;

dealing with requests pursuant to this Act; interaction with the Regulator; and

otherwise ensuring compliance with the provisions of the Act. We recommend that the Information Officer appointed is

someone in a high level position within the organisation

The Information Regulator The Regulator’s powers, duties and functions are to:

provide education, including the promotion of understanding and acceptance of the Conditions of lawful processing of Personal Information;

monitor and enforce compliance through the powers vested in it by the legislation;

consult with interested parties on a national and international basis;

handle and investigate complaints;

conduct research and report to Parliament on international developments;

assist in the establishment and development of codes of conduct;

facilitate cross-border cooperation in the enforcement of privacy laws with other jurisdictions; and

generally do everything necessary to fulfil these duties, and foster a culture which protects personal information in South Africa.

Consequences of Non-compliance with POPI

Suffer reputational damage Lose customers and fail to attract

new ones Pay out millions in damages to a

civil class action Be fined up to R10 million or face

10 years imprisonment

What does compliance entail? Audit the processes used to collect, record, store, disseminate and destroy

personal information. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.

Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose.

Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.

Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why.

Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.

Further Compliance Ensure information quality: the company processing the

information must make sure the information is complete, accurate, up to date and not misleading or false.

Notify the information Protection Regulator: Organisations processing personal information will have to notify the Regulator about their actions once the regulations are in effect.

Accommodate data subject requests: POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information.

Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved.

Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa.

Frequently asked questions I’m not a criminal or a terrorist, why does

my information need to be protected?

How will the Protection of Personal Information Act be enforced?

Do I need to hire an additional staff member to be my Information Officer?

When do I need to get compliant with the

Act?

How Smart Legal will help your business

Smart Legal has extensive expertise and experience in data protection policy and implementation within businesses

Our assessments along with policies are tailor made to your specific business’ needs and requirements

Our approach is unique, efficient and effective

Seminar Attendees will be entitled to a Free assessment on your business’ readiness for and compliance with POPI

Smart Legal Solutions for business

Consumer Protection

Protection Of Personal

Information

Labour Law

Corporate Legal Solutions

ConclusionThank you for your time:

Contact: Imraan KharwaCell: 082 34 34 811Landline: 031 207 3901Email: imraan@smartlegal.co.za

Social media:

Linkedin: Smart Legal

Twitter: @smartlegalbiz

All Photo Credits: Images.google.com