POPI… Who Gives a

Damn!

1

Introduction

Introduction

• Is POPI the Holy Grail?

• Do you think the POPI Act will reduce the risk of

data breaches?

• Do you think the implementation of the POPI Act

will increase customer confidence in your

organisation?

• Do you where the greatest risk to your business is

in relation to POPI?

3

Current State of POPI

• The Act is still not effective

• A regulator has not been established

• The Deputy Minister of Justice recently

announced last week that the

remuneration range for the regulator has

been determined.

4

POPI…Who Gives a Damn!

5

What will the regulator look

like?

Regulator

Chairperson

Member

Member

Member

Members

Administration

CEO

Other operational staff

Committees

Chairperson

Other Members

Enforcement Committee

Chairperson

sOther Members

• The maximum financial penalty that may be imposed

for a breach under POPI, is limited to R 10m

• Civil liability claims

• Criminal liability

• Financial and reputational loss

• Loss of consumer confidence and trust

6

What is the cost of not

complying?

2/3 customers would leave

you, if you mistreated

their data

76%of companies said a data

breach caused moderate

to severe impact on the

business

$3.5Maverage cost of a data

breach

"Investors see data breaches as a threat to a company's material value and feel discouraged in

investing in a business that has had its sensitive information compromised"

- Malcolm Marshall, global leader of KPMG's cyber security practice

7

• The inability of the UK’ ICO to impose financial penalties resulted in it being labelled

as a “toothless tiger” , however since 2010, when financial penalties were allowed,

that perception improved

• However two year after financial penalties were introduced information breach

figures indicate that “Data Breaches are 10 times worse”, with 821 instances in

2011-12 vs. 29 in 2007-08 (BBC, 2012), this two years after financial penalties were

introduced

• Even back in 2012 a number of new proposals aimed at overhauling data protection

legislation including penalties of up to 2% of annual turn-over, depending on the

magnitude of the breach

• There is also a view that the drivers for compliance are all but financial, which is

also visible from recent surveys conducted across organisations required to comply

with the PCI-DSS standard - It was found that the vast majority indicated “protect

the brand” was more of a driver for compliance than the fear of penalties for non-

compliance with the standard (Gensen, 2011)

Does compliance drive

change?

8

Data Breach trends from the UK’S ICO

UK Stats

59%16%

11%

8%6%

Top Five Breach SECTORS

Health Local Gov Education Charities Solicitors

9

3rd Party – the greatest risk?

• 3rd Party POPI remediation is the

most challenging and the most

difficult

• No right audit clauses with 3rd

parties

• It has the greatest impact to an

organisation

• We treat their compliance as a point

in time exercise

POPI Compliance Challenges

Challenges

Understanding

Legislative and

Regulatory

Requirements

Understanding

Information

Security Risks

Understanding

Information

Understanding

Organisational

Culture

Knowing all

Third Parties

Understanding

Business

Process

Do we know the legislative and

regulatory requirements for our

business in respect of information?

Do we know what

information we process,

why we process such

information, where

information is stored

and who can access it?

Do we understand

unstructured

information?

Do we know how information

is processed within the

organisation (i.e. do we know

where information goes?)?

Do we know where our risks

are and have we

implemented controls to

mitigate these risks?

Do we have an

organisational culture that

promotes the security and

privacy of information?

Do we know who are our third

parties, what information we share

with them and how they process it?

11

Past, Present and the Future

– a tense moment

Yesterday…

Today…

Bad “actors”

� Isolated criminals

� “Script kiddies”

Targets

� Identity theft

� Self-promotion

opportunities

� Theft of services

“Target of opportunity”

Bad “actors”

� Organized criminals

� Nation states

� Hactivists

� Insiders

Targets

� Intellectual property

� Financial

information

� Strategic access

“Target of choice”

12

Has POPI made life better?

Average Joe/June

• Without even knowing, his/her personal

information is more secure

• Organisations are acting more responsibility

• We are worrying about what 3rd parties are

doing with our information

• We as consumers understand the important

of personal information and the risk

associated

13

• 100 percent security/compliance is neither feasible

nor the appropriate goal

• Effective security is less dependent on technology

than you think

• The ability to learn is just as important as the ability

to monitor

• Compliance is not a department, but an attitude

• Focus on your core ability

The way forward

Jason GottschalkAssociate Director, Cyber Security

1 Medittearean Street

Foreshore, Cape Town

Mobile: +27 82 719 1804

Jason.Gottschalk@kpmg.co.za

© 2015 KPMG [member firm name if applicable], the

South African member firm of KPMG International, a

Swiss cooperative. All rights reserved.

KPMG and the KPMG logo are registered trademarks of

KPMG International, a Swiss cooperative.