Upload
imraan-kharwa
View
26
Download
1
Tags:
Embed Size (px)
Citation preview
The Increasing need for data security As revealed in the 2014 Cost of Data Breach Study:
Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.
On average, South African companies that experienced a breach in the last 12 months reported a cost to their organisation of upwards of R 5.6 Million
According to AON, an estimated 70% of all South African Businesses are unprepared for cyber crimes and cyber liability
Source: www.businessinsider.com
Forms of data breachesPhishing (SARS, Banking)
Credit card cloning (Hotels, Shopping)
Weak/unsecure passwords (Name,786)
Unauthorised employee access to sensitive information (Secretaries)
Hacking (external/internal)
Theft of information (employees/corporate espionage)
Theft of devices (laptops/cellphones)
Causes of data breaches
Keeping too much data
around
Failing to encrypt laptops, mobile
devices and removable media.
Poorly designed business
processes.
Accidental publishing to the
web or email.
Lack of appropriate
access controls.
The need for data protection legislation
The need for personal data protection was first considered by a European Union Directive in 1995
In 2012 the E.U Adopted the European Data Protection Regulations amidst increasing data breaches and information leaks.
In line with International Standards, South Africa gazetted The Protection of Personal Information Act in November 2013
To date, the United States still has no unified law on personal data protection – leaving organisations, businesses and shadow agencies free to deal with personal information in anyway they see fit.
Edward Snowden (Ex-NSA) exposed the extent to which personal data is abused in the United States. Eg: Agents used data to track spouses, spy on neighbours, steal information off friends and colleagues.
A South African Perspective
The Bill of Rights: Section (14) “Everyone has the right to privacy, which includes the right not to have their person or home searched; their property searched; their possessions seized;
or the privacy of their communications infringed.”
The Protection of Personal Information Bill of 2009 and Act of 2013
Who does POPI apply to? POPI applies to all businesses within the Republic of South Africa,
including private and public bodies.
Certain bodies are specifically excluded from POPI, including the SAPS, when investigating crimes, and the Various Intelligence Agencies, when maintaining National Security.
Other exclusions set out in Section 4 of the Act include Information that is:
purely household or personal activity sufficiently de-identified information some state functions including criminal prosecutions,
national security etc. journalism under a code of ethics judiciary functions
What is Personal Information?
Contact details: email, telephone, address etc.
Demographic information: age, sex, race, birth date, ethnicity etc.
History: employment, financial, educational, criminal, medical history
Biometric information: blood type, finger prints etc.
Opinions of and about the person
Private Correspondence etc.
How is Personal Information collected?
Client or customer
information forms
Credit applications
Online submission
Registration forms
Entry into competitions
Cellular submissions
Referrals from others *
Sale of databases **
The Direct Marketing Dilemma
“direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
promoting or offering to supply, in the ordinary course of business,any goods or services to the data subject; or
requesting the data subject to make a donation of any kind for anyreason;
Opt In VS Opt Out
Old Standard: Automatically opt in and unsubscribe or SMS Stop to opt out
VS
POPI Standard: Explicitly opt in to receive direct marketing
Consent to data processing
‘‘Consent’’ means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
Opportunities to opt-out –
1. When the personal information is first collected; and
2. With each subsequent communication.
8 Processing Conditions Accountability
mandatory compliance with the Act and information regulator
Processing limitationdata must be processed in fair and lawful manner
Purpose specificationdata must only be used for explicitly defined and legitimate reasons
Further processing limitationno allowed unless express permission is granted
Further Processing Conditions
Information qualitymust ensure that info is kept reliable, accurate and up to date
Opennessdata subject must be informed of all data collected, grant permission for usage
Security Safeguardssafeguards must be implemented, physical and non physical – software
Data subject participationmay request info, corrections, of misleading, false info, info to be deleted
Designated Information Officer Every organisation is required in terms of the Act to appoint a
designated Information Officer
Information Officer’s responsibilities include:
encouragement of compliance with the Conditions for the Lawful Processing of Personal Information;
dealing with requests pursuant to this Act; interaction with the Regulator; and
otherwise ensuring compliance with the provisions of the Act. We recommend that the Information Officer appointed is
someone in a high level position within the organisation
The Information Regulator The Regulator’s powers, duties and functions are to:
provide education, including the promotion of understanding and acceptance of the Conditions of lawful processing of Personal Information;
monitor and enforce compliance through the powers vested in it by the legislation;
consult with interested parties on a national and international basis;
handle and investigate complaints;
conduct research and report to Parliament on international developments;
assist in the establishment and development of codes of conduct;
facilitate cross-border cooperation in the enforcement of privacy laws with other jurisdictions; and
generally do everything necessary to fulfil these duties, and foster a culture which protects personal information in South Africa.
Consequences of Non-compliance with POPI
Suffer reputational damage Lose customers and fail to attract
new ones Pay out millions in damages to a
civil class action Be fined up to R10 million or face
10 years imprisonment
What does compliance entail? Audit the processes used to collect, record, store, disseminate and destroy
personal information. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.
Define the purpose of the information gathering and processing: personal information must be collected for a specific, explicitly defined and lawful purpose.
Limit the processing parameters: the processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.
Take steps to notify the ‘data subject’: the individual whose information is being processed has the right to know this is being done and why.
Check the rationale for any further processing: if information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
Further Compliance Ensure information quality: the company processing the
information must make sure the information is complete, accurate, up to date and not misleading or false.
Notify the information Protection Regulator: Organisations processing personal information will have to notify the Regulator about their actions once the regulations are in effect.
Accommodate data subject requests: POPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information.
Retain records for required periods: personal information must be destroyed, deleted or ‘de-identified’ as soon as the purpose for collecting the information has been achieved.
Cross border data transfer: there are restrictions on the sending of personal information out of South Africa as well as on the transfer of personal information back into South Africa.
Frequently asked questions I’m not a criminal or a terrorist, why does
my information need to be protected?
How will the Protection of Personal Information Act be enforced?
Do I need to hire an additional staff member to be my Information Officer?
When do I need to get compliant with the
Act?
How Smart Legal will help your business
Smart Legal has extensive expertise and experience in data protection policy and implementation within businesses
Our assessments along with policies are tailor made to your specific business’ needs and requirements
Our approach is unique, efficient and effective
Seminar Attendees will be entitled to a Free assessment on your business’ readiness for and compliance with POPI
Smart Legal Solutions for business
Consumer Protection
Protection Of Personal
Information
Labour Law
Corporate Legal Solutions
ConclusionThank you for your time:
Contact: Imraan KharwaCell: 082 34 34 811Landline: 031 207 3901Email: [email protected]
Social media:
Linkedin: Smart Legal
Twitter: @smartlegalbiz
All Photo Credits: Images.google.com