Ster Kinekor Presentation

SAPA Presentation
Protection of Personal
Information Law
Daniella Kafouris
Senior Manager- Risk Advisory
Data Privacy / PPI Compliance Lead
What will this presentation cover?
Key PPI risks
PPI Risks
•
•
•
•
•
•
Risk 1: Regulation of the entire data life cycle
Risk 2: Collecting analysing and using customer data
Risk 3: Outsourcing data relevant functions
Risk 4: Cross-border transfer of data
Risk 5: Special PI
Risk 6: The compliance function
Risk 1: Regulation of
the entire data life
cycle
3
Risk 1: Regulation of the entire data life cycle
Additional Requirements
Personal Information
Key Conditions
Accountability
Further
Processing
Processing
Limitations
Information
Quality
Security
Safeguards
Purpose
Specification
Openness
Data Subject
Participation
•
Special Personal
Information
•
Information about
children
•
Information
Regulator
•
Direct Marketing
•
Trans-border
Information Flows
The full data lifecycle
Introduction
Destruction
Collection
Data Quality and
Integrity
Archiving
Processing
Outsourcing
Loss
Distribution
Conclusion
5
[Insert document footer]
© 2013 Deloitte Touche Tohmatsu Limited
Risk 2: Collecting,
analysing
and using customer
data
6
Risk 2: Collecting, analysing and using customer data
Consent in the direct marketing space, analytics tools and business intelligence
Can you or can’t you?
7
[Insert document footer]
© 2013 Deloitte Touche Tohmatsu Limited
Risk 2: Collecting, analysing and using customer data
Direct Marketing
The contact details must
have been obtained in the
context of the sale of a
product or service;
Data subject has given
consent.
For the purpose of direct
marketing the responsible
parties own similar products
or services;
At the time information was
collected
Data subject is a customer of
a responsible party.
As long as the data subject
has been given a reasonable
opportunity to object, free of
charge and free of
unnecessary formality;
On the occasion of each
communication
Details of the identity of the
sender;
An address or contact details
to which the recipient may
unsubscribe.
8
[Insert document footer]
© 2013 Deloitte Touche Tohmatsu Limited
T&Cs / Privacy Policy
9
[Insert document footer]
© 2013 Deloitte Touche Tohmatsu Limited
Risk 3: Outsourcing
data relevant functions
10
Risk 3: Outsourcing data relevant functions
Outsourcing elements of the PI life cycle
Collection
Destruction /
Archiving
Processing
Marketing
Cross Border
Transfers
Retention
Requirements
Purpose
Specification
Further
Processing
11
[Insert document footer]
© 2013 Deloitte Touche Tohmatsu Limited
Risk 4:Cross-border
transfer of PI
12
Global Privacy Legislation
Global view on Data Privacy
Has data privacy laws
Law in process
No data privacy laws
Tunisia – public sector
Morocco
Cape Verde
Senegal
Zimbabwe
Burkina
Faso
Benin
Mauritius
Angola
South Africa
Risk 5: Special PI
15
Special personal information
Children
Criminal
behaviour
Trade union
membership
Religious or
philosophical
beliefs
Race or
ethnic origin
Political
persuasion
Health or
sex life
Risk 6: The
compliance function
17
Risk 5: The compliance function
Creating a Privacy Office for your organisation
What will you need?
• What is your status?
– Alignment of policies and process
– Assigning roles and responsibilities
– Begin the foundation of your incident management
function
– Begin educating your organisation, your clients
and third party service providers
Privacy…packaged
Identify
stakeholders
Sustaining
Compliance
Implementation
Gap Analysis
• Policies
• Roles and
responsibilities
• Initial training and
Awareness
• Incident Response Plan
• Notice
• Access
• Outsourcing
• Direct Marketing
• Cross-border transfer
Lay the
foundation
Conduct interviews
Privacy impact
assessments
Ensure the
rights of
the
customer
Annual health
checks
Review
documentation
Metrics and
reporting
Secure
control
over
information
Prioritise gaps
Manage the
information
life cycle
Review on controls
Regulatory
updates
Design roadmap
• Security for Privacy
• Quality and integrity
Analytics
19
Cyber
• Collection
• Processing
• Outsourcing
• Direct Marketing
• Cross-border transfer
Training
Security
Legal
Cloud
Audit
Who should your privacy officer be?
Mind of a privacy officer
Public Relations
Executive
• High internal profile
• Media ready
• Reassurance to
consumers
Legal background
• Compliance
• Contractual Advice
• Judicial Process
IT Specialist
• Knowledge of capabilities and
limits of technologies that process
PI
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), a UK private company limited by guarantee, and its network of member
firms, each of which is a legally separate and independent entity.
Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting and financial advisory services to public and private clients spanning multiple industries. With a globally
connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients,
delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 200 000 professionals, all
committed to becoming the standard of excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities
(collectively, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or
taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte
Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2013 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu Limited