Embed Size (px)
Citation preview
PRESENTATION: DATE:
THE IMPLICATIONS OF POPI ON IT!
10 October 2013!
Agenda!
Background!Privacy journey!IT focus: Enabling the business!International data breaches!Remediation roadmaps!Business benefits!Questions & Answers!
Background: Overview!
• The Protection of Personal Information Bill!• To give effect to a person’s right to privacy (In RSA this includes
natural and juristic persons)!• Govern the way in which personal information is processed by
companies!• Personal information is:!
• Any information that can be used to uniquely identify a person!• Name, ID number, cell phone number, email address!• Religious beliefs, information related to children, health etc.
• What does non-compliance mean?!• Regulatory fines (up to R10 million)!• Prison sentence!• Regulatory audits!• Reputational damage!
Background: Status
!Recent activity:!• National Assembly approval on 20 August 2013!
!Next steps:!• Translation!• Signed into law!• Commencement!
Background - Overview of the 8 POPI conditions!
1) Accountability!Responsible parties must ensure that the principles of the POPI Bill are complied with!
2) Processing limitation!Personal information may only be processed in a fair
and lawful manner, with the consent of persons providing their personal information!
3) Purpose specification!Personal information may only be processed for
specific and legitimate purposes!
4) Further processing limitation!Personal information may only be processed if it
is in line with the original purpose. Or additional consent obtained!
5) Information quality!Companies must put reasonable measures are in
place to ensure the quality of personal information they process!
6) Openness!Companies must keep formal record of the
personal information they process!
7) Security safeguards!Companies must ensure that reasonably
practicable controls are in place to ensure the safeguarding of personal information they
process!
8) Data subject participation!Persons must have the ability to request access
to their personal information and to update, delete their personal information held by a
company!
Privacy journey:!Information Privacy methodology!
1. Privacy Awareness
and Prioritisation!
2. Privacy Risk
Assessment!
3. Roadmap Design and
planning!
4. Develop Privacy
Governance & Control
Framework!
5. Implement
Privacy Governance
& Control Framework!
6. Monitor & Audit!
Figure 1: Mobius Consulting Information Privacy methodology!
Plan & Assess! Remediate! Business as usual!
Privacy journey: !IT’s involvement!
Critical Success Factors!• Appropriate ownership!• Key stakeholder involvement!
• Business process (end-to-end)!• IT/Information management!• Legal/Compliance!
• End-to-end business and data life-cycle understanding !
1. Privacy Awareness
and Prioritisation!
2. Privacy Risk
Assessment!
3. Roadmap Design and
planning!
4. Develop Privacy
Governance & Control
Framework!
5. Implement
Privacy Governance
& Control Framework!
6. Monitor & Audit!
Figure 1: Mobius Consulting Information Privacy methodology!
Plan & Assess! Remediate! Business as usual!
IT focus: enabling the business!
1) Accountability!• Privacy officer!
• Deputy information officer!• Privacy awareness!
2) Processing limitation!• Identity & access governance (IAG)!
• Consent storage!• 3rd party contracts/processing!
3) Purpose specification!• Data retention/destruction!
!
4) Further processing limitation!• Contracting with 3rd party operators and
establishing security safeguards!!
5) Information quality!• Input validation!
• Information architecture!• Data quality reporting!
6) Openness!• Data governance!
• Incident logging and management!
7) Security safeguards!• Risk assessment!
• Information security management!• Identity & access governance (IAG)!
• Security awareness!
8) Data subject participation!• Data governance!
World’s biggest data breaches!
Source: Information is beautiful!http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/!
International data breaches: Hacked/Poor security!
Remediation roadmaps!
• Should address identified privacy gaps!• Activities can be categorized as:!
– Privacy governance!– Training and awareness!– Business process!– 3rd Party management!– System changes, including Information security!
Remediation roadmaps: System changes and information security!
• Perform an information risk assessment!• Understand and identify security, system development and
change requirements to enable information security!• Implement adequate Identity and Access Governance (IAG)
policies and procedures!• Assess the current state of information security!
– Security reviews (ISO 27000 etc.)!– Vulnerability reviews (Internal & External)!– Data discovery (structured and unstructured)!
• Remediate information security gaps!• Manage the quality of information processed!• Drive electronic record management in line with record
retention policy and schedule!
Business benefits!
Is POPI just a compliance issue or can there be benefits for the business?!How can the investment in POPI compliance be leveraged to add value to the business?!!• Rationalise architecture!• Reduced expenditure on storage (physical and
electronic)!• Business process improvement!• Data quality!• Compliance, security and incident management savings!• Competitive advantage!
www.mobiusconsulting.co.za!
THANK YOU!
MANAGING DIRECTOR!
PATRICK RYAN!
LYNN MARTIN!
PRINCIPAL CONSULTANT!
mobile 083 678 6788! Mobile 083 3970537!
