The President has announced that the Protection of Personal Information Act will Commence on the 01 July 2020. Which then begs the question, what should you do next?
The long-awaited announcement from the President regarding the official commencement date of the Protection of Personal Information Act has finally arrived. This week the Presidency announced that the remaining sections of the Act will come into effect from 01 July 2020. The Act provides all organisation a twelve month grace period from this commencement date to achieve compliance before facing any consequences.
However, it’s worth noting that reaching compliance is a marathon and not a sprint, it requires a combination of a shift in organisational culture, company-wide policies, staff training, updating business and technical processes, implementing and reviewing controls, updating or reviewing contracts, and communicating with relevant stakeholders. Therefore the plans to achieve compliance should not be delayed as they will not be achievable at a last minutes notice.
The consequences of being found to be non-compliant after the twelve month grace period include:
Imprisonment of offenders for between one to 10 years.
Up to R10 million in penalties and fines.
Enforcement notice requiring non-compliant organisation to stop processing personal information (which could affect the continuation of business operations)
Civil action on behalf of an individual or group of individuals.
Preparing for POPI Act Compliance
Organisations should begin now to implement compliance programs and review the implementation on a regular basis. Bahati Tech presents a practical approach to assist different organisations to achieve POPIA compliance:
Create a tailor-made compliance programme for your organisation:
Identify business areas involved in personal information
Define the business needs and processes related to the processing ( i.e collection, storage, use, share or transfer, and destruction or archival of personal information)
Define data protection policy and strategy
Create personal data flow diagrams with narratives processing of how personal information flows throughout your organisation.
Create personal information inventory that covers all digitally processed data and paper-based repositories
Identify the information security controls and gaps (deficiencies) in the data flow
Perform Data Protection Risk and Maturity Assessments
Prepare and present a POPI Compliance Assessment Report
To discuss how we can support you further email us on:
The long-awaited announcement from the President regarding the official commencement date of the Protection of Personal Information Act has finally arrived. This week the Presidency announced that the remaining sections of the Act will come into effect from 01 July 2020. This newsletter covers what you should consider doing next:
I am so excited! We’re bringing straight to the point content on data privacy by design – no time wasted. We will be delivering straight-forward, clear tactics on how to implement privacy by design in the tech and software development environment.
Avey is an online beauty treatment platform that allows clients to book a beauty treatment in the comfort of their home or office. Avey allows the client to select a beauty professional for an appointment at a specified time. The beauty professionals also register to operate on the platform and go through a screening process before they are approved as Avey beauty professionals. This platform therefore processes both client and beauty professional personal data.
Avey currently operates in the major cities within South Africa and is therefore conscientious that that they need to comply with the Protection of Personal Information Act (POPIA). As an online platform they also have clients placing orders from all over the world, and they also have a vision to expand to different areas in the world. They are also therefore concerned to comply with the General Data Protection Regulations (GDPR).
Bahati Tech conducted a readiness assessment for Avey based on their current organisational and technical controls, as well as the general business processes against the data protection norms and standards as well as requirements of GDPR and POPIA. Bahati Tech also conducted data protection awareness training for Avey staff with a strong emphasis on data security. Bahati Tech delivered a readiness assessment report to Avey management with a suggested roadmap on any improvement measures that were recommended for the organisation.
Avey formalised their data privacy policies and developed a roadmap to implement a data protection project.
During this project Avey reviewed and implemented improved security controls around the management of Avey Beauty Professional personal data.
Avey staff received training on data protection and data security
Avey management received a gap analysis report with details around the current Avey business processes, organisational and technical controls versus the requirements for GDPR and POPIA
On the 21st March South Africans were commemorating Human Rights Day. As we have been approaching this day I’ve taken some time to reflect on our universal right to privacy. In 1948, the United Nations adopted the Universal Declaration of Human Rights, and article 12 of this declaration is dedicated to our universal right to privacy. The Declaration states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”
This right became well established and understood especially before the age of the proliferation of mass-market consumer computing devices, social media, as well as the widespread digital migration in every sector. Even law enforcement agents are required to possess a signed warrant before they can search your private home out of respect for an individual’s private life.
It seems that as people started recording their personal information on computer systems and later on over the internet, we failed to carry over the protection of this basic right onto the digital landscape. However, the collection of private and sensitive information that we as individuals have captured on various platforms online more than adequately reflects our entire lives, family relations and associations.
Many high profile data breaches and data leaks have exposed billions of personal data records putting billions of people at risk. On a more sinister level, we’ve also witnessed companies who misappropriate personal information and recorded online behavior to manipulate people to behave in certain ways including influencing their political decisions. All these incidents remind us that our right to privacy and our right to have our protected personal data needs to be enforced.
Sweden became the first country in the world to enact a national data protection law in 1973 to address the concerns around the increase of computers processing and storing personal data. In 2019, the World Economic Forum published an article specifying that 4.2 billion people in the world share their personal data online, while only 100 countries have data protection laws in place. One of the most well-known data protection regulations that was passed recently is Europe’s General Data Protection Regulation (GDPR). This regulation has seen a lot of activity and effort being invested to address how companies who collect or use personal data have reviewed their policies, actions, processes and controls. Many large and well-known companies have already received massive fines and penalties under the GDPR, which has motivated others to review their data protection programs and put more effort into compliance. Despite many companies facing penalties and fines for the mishandling of personal data, the GDPR has been criticized by others for not being effective enough to enforce compliance and data protection. What it has achieved through, is an increase in awareness around data protection and reminded the general public that they do have a right to expect that their personal data should be protected.
The South African Protection of Personal Information Act was signed into law almost seven years ago and we are still awaiting for this Act to come into full force. In the build up and anticipation to having this law we have seen a disturbingly high number of data breaches in the country recently. This has led to many people in the industry calling for the Information Regulator to speed up action and so we can finally see the personal data of South Africans protected. In the meantime, it is important for companies who collect and use personal data to understand that privacy and personal data protection is not just a legal compliance issue but is a fundamental human right that should be respected and upheld.
On the 30th March 2020, Bahati Tech in Partnership with Future Females and the UK in South Africa Tech Hub presented a cybersecurity webinar to Founders of Digital Businesses on “Protecting your business from online attacks”.
Bahati Tech will be presenting an online workshop to assist parents to protect their children on the internet. The Covid19 has seen most extramural activities for children cancelled, redirecting children to spend more and more time on line.
A tech company that uses artificial intelligence to detect grooming and predators reports that this incidents occur frequently and most go undetected. There is no profile for a child that is targeted by predators online, all children are vulnerable. And nowadays predators are using mainstream apps and websites to target minors. These apps include popular social media apps, online gaming, apps with live video calling, chat features etc.
Join us in this webinar where we will be discussing what you can do to protect your children from harm on the internet.
As Bahati Tech (PTY) Ltd we will strive to continue providing our Data Protection services and meet our obligations to our clients while carefully adhering to the National Lockdown announced by President Cyril Ramaphosa. In doing this, we will take into account governmental advice coupled with our real-world experiences to ensure the safety of all our stakeholders.
Should we or one of our customers cancel or curtail any activity, then our standard contractual terms will be applied regarding any payments made or due.
Our staff will continue to reasonably fulfil their roles and their obligations to our customers; any changes to this expectation will be informed by government advice and communicated both to staff and to our clients accordingly.
Training and consultancy delivery:
From a training and consultancy delivery perspective, the business will take the following approach:
All in-person engagements will be postponed for the time being. We are taking proactive measures to make online consulting and training available and where necessary and feasible, we will move all pre-planned consultancy engagements to online platforms.
Our other business lines and services that are delivered remotely are unaffected by this policy.