Protecting personal information in accordance with the Act requires a diverse set of skills and experience. With over twenty years experience in the protection of personal information in Europe, the IT Governance Network is unique in the breadth and depth of its practical knowledge and experience. A number of its staff attended the Parliamentary meetings drafting the Protection of Personal Information Bill and they made six submissions, some of which are in the finalised Act.
The IT Governance Network is able to assist a wide range of clients, across all industries, to fulfill the requirements for lawful processing of personal information. Its practical, legal, business and information processing services enable clients to overcome the many challenges of the privacy legislation in a pragmatic way. Its software solutions, used in Europe, are available in South Africa too.
POPIA Services and Software Solutions enabling compliance:
(see also www.popia.net)
Available POPIA Services:
- Executive awareness about the obligations of responsible parties
- Identification of personal information assets and business impact of privacy concerns
- Legal and technical privacy threat and vulnerability analysis
- PAIA manual preparation and update
- Comprehensive IT legal register and update service
- Evaluation of technical and organisation measures
- Selection and implementation of privacy safeguards
- Contracts with service providers
- Service provider verification
- Privacy by design
- Privacy training and consulting services
- Privacy programme management.
Available POPIA Software Solutions:
GOVERN THE POPIA COMPLIANCE FRAMEWORK
- System to assign governance, management and operational data protection tasks to persons responsible across the enterprise, processors and sub-contractors; to set priorities, implement strategy, use dashboards to track progress
Context and interested parties
- Establish the context and expectations of interested parties.
Obligations and guidance
- Record data protection obligations and update a knowledge base with regulatory guidance.
Objectives, scope and policy
- System to determine the
- data protection objectives
- scope and planning
for using and protecting personal data.
PLAN THE POPIA COMPLIANCE FRAMEWORK
Inventories of processing
System to establish inventories and record:
- details of personal data used at all locations
- data transfers
- outsourced processing and processes
- sources and status of consent records
- data protection processes and safeguards.
Registers and libraries
System to record:
- IT legal compliance obligations
- contracts with processors and sub-contractors
- data sharing templates and agreements
- criteria for prior authorisation and consultation
- legal, technical and organisational vulnerabilities
- policies and operational practices
- options for privacy by design and default
- risk treatment options
- risks and delegated risk owners
- internal controls and protections to counter risks
- audit programme templates.
Data protection impact assessments
System to conduct, record and maintain data protection impact assessments; develop privacy plans.
DEVELOP THE POPIA COMPLIANCE FRAMEWORK
Involve the information officer
- Properly involve the information officer and others in the data protection activities
Orchestrate and track POPIA related work
- Assign operational tasks, implement and operate safeguards to treat risks and log performance.
Communicate the processing of personal data
- Inform the information regulator and data subjects.
IMPLEMENT THE POPIA COMPLIANCE FRAMEWORK
- Maintain granular records and track consent received from and withdrawn by data subjects.
Case management (handle data subject requests)
- Respond to information requests and complaints. Notify data subjects of interferences and breaches.
Operate technical and organisational measures
- Manage measures, the information life-cycle, lawful processing of personal data, changes in processing risk.
- Respond to incidents, track actions through to closure.
MONITOR THE POPIA COMPLIANCE FRAMEWORK
Demonstrate compliance with POPIA
- Manage a central repository of artefacts, event logs and audit trails to demonstrate compliance.
Evaluate the protection of operational systems
- Audit the technical and organisation measures.
Assess compliance with the POPIA
- Audit compliance of system functions with the POPIA.
Monitor processor (vendor) processing and guarantees
- Audit the status of processor compliance.
Validate processor (vendor) assertions
- Audit the operator assertions of compliance.
REACT TO NON-CONFORMANCE WITH THE POPIA COMPLIANCE FRAMEWORK
React to non-conformity and take corrective action
- Plan, organise, direct and control the actions taken in response to non-conformance.
Continually improve suitability and adequacy
- Create status and progress governance dashboards, and management and operational reports.
Communicate benefits realised
- Summarise and report progress with improvements in the protection of personal data and increases in respect for data subjects’ rights.
For details of available POPIA training, visit: www.popiatraining.co.za
Pdf POPI and Big Data
Pdf POPI and Informaton Security
Pdf POPI and Responsible Parties
Pdf POPI and the PAIA Manual
Pdf POPI and Conditions for Processing Personal Information
Pdf POPI and the Information Officer
Pdf POPI and Contracts with Operators
Pdf POPI: Role of Information Officer in System Development.
Pdf POPI and the Impact on Cloud Computing.
Pdf POPI and the Impact on Healthcare Catering.