Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIGFARO CONFERENCE 9 OCTOBER 2018.

Published bySharon Hutchinson Modified over 6 years ago

Similar presentations

Presentation on theme: "CIGFARO CONFERENCE 9 OCTOBER 2018."— Presentation transcript:

1 CIGFARO CONFERENCE 9 OCTOBER 2018

2 Government Finance Audit and Risk Officers
POPI Act Compliance For Government Finance Audit and Risk Officers Presented by Dr Peter Tobin CGEIT, PMIITPSA, PMP October 2018 Copyright Dr Peter Tobin, 2018

3 Presentation Objectives
Provide an overview of POPIA Explain why POPIA matters What you need to do about POPIA Practical example of POPIA non-compliance  Recommendations for future action Closing thoughts October 2018 Copyright Dr Peter Tobin, 2018

4 Protection of Personal Information Act (POPIA) Overview
POPIA was a Bill up to November 2013 when it received the assent of the President and appeared in the Government Gazette as Act No. 4 of 2013 In April 2014 partial commencement of the POPI Act occurred to support the establishment of the Information Regulator South Africa (InfoRegSA) The InfoRegSA core team took office in December 2016 Full commencement of POPIA is expected not before 1Q2019, probably later There will be a 12 month transition period, unless extended by the Minister October 2018 Copyright Dr Peter Tobin, 2018

5 Protection of Personal Information Act (POPIA) Overview
Accountability = assigning ownership in your business; Processing Limitation = processing information for lawful reasons and in a manner that does not infringe privacy; Purpose Specification =only obtaining and holding personal information for a specific purpose; Further Processing Limitation = Further processing of personal information must be compatible with the purpose for which it was collected; October 2018 Copyright Dr Peter Tobin, 2018

6 Protection of Personal Information Act (POPIA) Overview
Information Quality = information is complete and accurate; Openness = being honest about collection and processing; Security safeguards = using reasonable technical and organisational measures; Data Subject Participation = an individual may request the information is accessed, deleted or corrected. October 2018 Copyright Dr Peter Tobin, 2018

7 Protection of Personal Information Act (POPIA) Overview
Other compliance requirements Special PI Children Rights of Data Subjects Information Officer Appointment Electronic Direct Marketing Transborder flows October 2018 Copyright Dr Peter Tobin, 2018

8 Protection of Personal Information Act (POPIA) Overview
What is the scope of impact? POPIA addresses living individuals and juristic entities All organisations that process personal information Exemptions apply Certain activities of the state Journalistic activities International law enforcement Regulator may also exempt for specific reasons Household activities October 2018 Copyright Dr Peter Tobin, 2018

9 Copyright Dr Peter Tobin, 2018
What is GDPR? European-wide personal data privacy legislation Global applicability for processing of personal data of EU residents Came into full force on 25 May 2018 More rigorous than POPIA in many areas October 2018 Copyright Dr Peter Tobin, 2018

10 Copyright Dr Peter Tobin, 2018
Why POPIA matters POPIA “Stick & Carrot” POPIA stick: reactive and based on a negative impact for non-compliance Fines – up to R10,000,00.00 per incident Jail time for the information Officer Reputation damage – career damage POPIA carrot: proactive and based on a positive impact for compliance Service delivery enhancement Reputation enhancement October 2018 Copyright Dr Peter Tobin, 2018

11 What you need to do about POPIA
A comprehensive review of the current state of compliance This typically reveals one or more gaps between the current and required level of compliance “Reasonable and appropriate” is key October 2018 Copyright Dr Peter Tobin, 2018

12 What you need to do about POPIA
Governing Body / Accounting Authority responsibilities Governance starts at board or governing body level Board needs to set direction and provide oversight Looks at risk and value Takes long term, externally oriented view Hold ultimate accountability to external and internal stakeholders October 2018 Copyright Dr Peter Tobin, 2018

13 What you need to do about POPIA
Executive management responsibilities POPI Act defined Designated Head as accountable through the Promotion of Access to Information Act (PAIA) Accountability can be delegated for public bodies Public bodies may appoint deputies to assist with compliance activities October 2018 Copyright Dr Peter Tobin, 2018

14 What you need to do about POPIA
Other responsibilities Multiple roles can be defined both inside and outside the organisation, e.g. Internal and External Audit Information and Record Stewards / Custodians Service providers & Operators Employees October 2018 Copyright Dr Peter Tobin, 2018

15 What you need to do about POPIA
Step 1: Initiate Set yourself up for success by formalising your compliance activities Establish a compliance preparation project Ensure you have proper authorisation and funding: we recommend a project charter is drawn up and approved by the project sponsor Update and sign the Project Charter Update and sign the Information Officer and Deputy Information Officer appointment letters Develop a preliminary plan of action Ensure you identify and engage your stakeholders October 2018 Copyright Dr Peter Tobin, 2018

16 What you need to do about POPIA
Step 2: Assess Complete a structured compliance assessment in terms of the requirements in the POPI Act Use Compliance Assessment Tools to discover areas for remediation to address the requirements of the POPI Act; this can include hundreds of assessment questions depending on what is reasonable and appropriate Document the assessments completed October 2018 Copyright Dr Peter Tobin, 2018

17 What you need to do about POPIA
Step 3: Consider In light of the Step 2 assessments, consider the areas that require remedial action to achieve an acceptable level of risk in terms of achieving compliance Consider what process, procedural, documentation, technical and contractual changes need to be made Consider the entire Personal Information (PI) life cycle from acquisition through ultimate disposal Consider all the organizational and technical factors for success (e.g. HR, IT, processes) Obtain approval for a plan to achieve the required level of compliance October 2018 Copyright Dr Peter Tobin, 2018

18 What you need to do about POPIA
Step 4: Translate Translate your plans into action, with clearly defined objectives and milestones to achievement Translate the conditions for lawful processing into specific evidence of your remediation plan taking effect Translate your short term compliance preparation project into a long term compliance commitment Translate the cost of compliance into the benefits of compliance October 2018 Copyright Dr Peter Tobin, 2018

19 Practical example of POPIA non-compliance
Several well publicized cases of data loss e.g. Theft of passports and visa from UK High Commission Theft of laptops from Office of Chief Justice Theft of laptops from SABC parliament precinct office Suspected many more go unreported at present October 2018 Copyright Dr Peter Tobin, 2018

20 Practical example of POPIA non-compliance
Chief Justice Mogoeng Mogoeng’s offices burgled “Fifteen computers in the human resources unit which contained important information about judges in the country, officials in the office of the chief justice, the Constitutional Court, high courts, Supreme Court of Appeal and other specialists courts were stolen.” Source: Points to ponder Risk assessment? Security policy? Security measures in place? Training? Threat monitoring? Data recovery? Data loss management? Notification procedures? Post-breach lessons learned? October 2018 Copyright Dr Peter Tobin, 2018

21 POPIA/GPR compliance - How? In-house, go-it-alone
Advantages Potentially lower external cost Disadvantages High risk of failure due to lack of experience Longer duration due to steep learning curve Potential for re-doing what does not work October 2018 Copyright Dr Peter Tobin, 2018

22 POPIA/GDPR compliance - How? Supported by external advisors
Advantages Low risk approach Learn from those with experience Small chance of re-doing work Faster implementation Disadvantages Risk that external advisor does not perform Cost of external advice October 2018 Copyright Dr Peter Tobin, 2018

23 Recommendations for future action
Evaluate the importance and urgency for POPIA and GDPR compliance Identify the knowledge, skills and experience you need for compliance Evaluate how your executive team can support your POPIA & GDPR compliance journey Develop an action plan for compliance October 2018 Copyright Dr Peter Tobin, 2018

24 Copyright Dr Peter Tobin, 2018
Closing thoughts POPIA compliance is going to be a way of life There are steps that can be taken today to prepare for full compliance readiness Sponsorship from Executive Management and support across the whole organisation is key Don’t ignore GDPR – it may be a big issue October 2018 Copyright Dr Peter Tobin, 2018

25 Copyright Dr Peter Tobin, 2018
Closing thoughts Personal Action Plan Within 5 days I will: Within 20 days I will: October 2018 Copyright Dr Peter Tobin, 2018

26 Copyright Dr Peter Tobin, 2018
Closing thoughts Q and A October 2018 Copyright Dr Peter Tobin, 2018

Download ppt "CIGFARO CONFERENCE 9 OCTOBER 2018."

Similar presentations

Organizational Governance

Organizational Governance
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Portfolio Committee Presentation Government printing Works Audit and Compliance 07 May 2013 Presented by: Chief Executive Officer.

Portfolio Committee Presentation Government printing Works Audit and Compliance 07 May 2013 Presented by: Chief Executive Officer.
1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.

1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.
1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.

1 Internal Audit. 2 Definition Is an independent activity established by management to examine and evaluate the organization’s risk management processes.
CIVILIAN SECRETARIAT FOR POLICE STATUS REPORT ON IMPLEMENTATION OF THE CIVILIAN SECRETARIAT FOR POLICE SERVICE ACT 2 OF 2011 PORTFOLIO COMMITTEE ON POLICE.

CIVILIAN SECRETARIAT FOR POLICE STATUS REPORT ON IMPLEMENTATION OF THE CIVILIAN SECRETARIAT FOR POLICE SERVICE ACT 2 OF 2011 PORTFOLIO COMMITTEE ON POLICE.
Indiana Regional Sewer District Association October 26, 2015.

Indiana Regional Sewer District Association October 26, 2015.
Internal Audit Section. Authorized in Section 20.055, Florida Statutes Section 20.055, Florida Statutes (F.S.), authorizes the Inspector General to review.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Protection of Personal Information Act An Analysis on the impact.

Protection of Personal Information Act An Analysis on the impact.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Mutual benefit? The audit committee and internal audit

Mutual benefit? The audit committee and internal audit
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Business Briefing Security Service Providers

Business Briefing Security Service Providers

Similar presentations

Ads by Google