The current primary ICTCompliance
focus is centred on the Protection of Personal Information Act, seeing it as eventually forming the hub of the South Africa data compliance environment. ICTCompliance
are conducting seminars, workshops and onsite implementations around the South Africa, as part of the process to assist clients to do the basic orientations required, to do the compulsory appointments of ‘responsible persons’ in terms of the POPI Act, establish the basic facts and processes to move towards a data compliance policy and to then tailor the required organisational and technical environment required of their organisation.
proprietary CyberVault solution enables clients to become and remain in compliance with the POPI Act and relevant other Acts, whilst also turning the implementation process into an unparalleled marketing and communication opportunity because of the mobile technologies added to conventional data management solutions. However, this solution will only become available once the POPI Act has been promulgated and thus becomes effective law, by the nature of the construction of the solution. The first phase of roll-out will be to select clients in different industry sectors, in a beta format and with commensurate terms and conditions.
has compiled a series of different formats and curricula for orientation and training of our clients in respect of the Protection of Personal Information Act and related legislation, such as the Promotion of Access to Information Act (PAIA), the Consumer Protection Act and numerous others. The details, scheduling and pricing of these are supplied to enquirers on an individual basis, such enquiries can be directed to firstname.lastname@example.org
An example of the basic formats and content of the coaching events in South Africa follows:
One day event - OVERVIEW of the Protection of Personal Information Act
Emphasis is placed on offering delegates an understandable and practical overview and guide to the POPI Act, particularly the ‘responsible parties’ (Read CEO’s) and appointed ‘information officers’ of both private and public bodies, to assist them in starting to make both the organisational and technical changes enforced by the new Act.
Given that fines of up to R 10 million and that these even combined with jail sentences in some instances are at play here, delegates need to be clear about the collection of and on-going dealing with personal data having to be for a defined and lawful purpose, the need to have data subjects made aware of any collection and/or processing of data and the means available for communication with data subjects, the required security measures of international standard that are to be put in place and the implications of cross-border transportation of data, as well as the age-management of and legitimate purposes required for data retention.
There are hardly any organisations that will not have to comply with the POPI Act, and it has now become a fact of our business lives, and ICTCompliance
seminars help to soften the effects thereof and also to highlight the inherent opportunities. Most importantly though, and an ICTCompliance
distinguishing trait, the content of these are aimed specifically at equipping attendees to be able to approach their enterprise compliance assessment procedures with confidence and on an informed basis, to practically participate in the compilation and implementation of a privacy strategy, and ultimately establishing a comprehensively compliance environment for their enterprises.
Delegates will come away from this event with the following capacities, and will also have material to be able to communicate their new knowledge to other members of their management teams:
- Clarity about the roles of the CEO/Responsible Person and Information Officer, as defined in the POPI Act, in driving and maintaining compliance with it;
- Have the ability to communicate their understanding and grasp of the main provisions of the Act to those involved in any manner with the processing of data in their organisation;
- Awareness of the strategic considerations pertinent to the changes to our business environment enforced by the new legislation, SWOT analysis included;
- Be able to identify and analise the key components of their organisation that will be requiring of organisational and technical adjustment as a result of the new Act;
- Drive the combined effort required to do an assessment of the current compliance status of their organisation, participate in the required compilation of a data policy and project manage the implementation of the required measures, which could include the integration of the ICTCompliance CyberVault technical solutions into the business environment of their organisation.
Outline of the Day:
Material made available to delegates prior to the event, as well as that presented in the initial two hours are dealt with by the presenters, then subjected to open discussion and then we move to a set of practical scenarios, some being case studies and others being delegate environments. The day is followed up with a individualized synopsis report, published and distributed within seven days of the actual event.
The minimum topics addressed are listed below, whilst delegates will also be afforded the opportunity to submit additional topics of their choice. The current standard topics are:
- The development path, motivation and strategic import of the new legislation;
General overview of the structure and specific provisions of the POPI Act, including crucial definitions;
- The duties of the Responsible Party and the Information Officer;
- The Regulator, pertinent functions and relationships with other Acts and their enforcement;
- The processing of personal data and the eight conditions applicable thereto;
- The requirements and available formats for communicating with data subjects, including cross-border perspectives, the requirements of age- and purpose analysis and required destruction;
- The minimum security requirements for data management compliance;
- Plotting a compliance implementation path, and outline of the various process steps and required capacities;
- Specific industry perspectives - retail, financial services, tourism, direct marketing, membership communities and others with reference to the audience mix;
- Technical solutions landscape - ICTCompliance CyberVault solutions and mobile-driven communications and security perspectives, cybercrime insurance and others according to client or attendee profiles.
Two day event - IMPLEMENTATION INITIALISATION - the Protection of Personal Information Act
Note that the program and content of the first day of this event are as outlined in the above and that the second day commences with discussion items raised by delegates who remained for the more implementation-driven processes of the second day of this event.
Overview of Compliance Implementation Initialisation/Day 2:
Delegates will be able to see their newly-gained knowledge in perspective to the background of the legislative environment presented by the POPI Act, PAIA, the CPA and other acts, as well as the technological solutions on offer from ICTCompliance and associates. There are no sales or marketing pitches involved in these sessions whatsoever, the focus remaining on functionalities required. Introductions and references are only done upon requests by clients or attendees, or eventually as part of an approved strategic plan and budget compiled by ICTCompliance.
The initial steps to planning and commencing with a compliance implementation plan will be enabled by the discussions and presentation material, amplified by the practical interaction with assessment tools such as the set of ICTCompliance Questionnaires, and some case studies.
Second Day Objectives:
- Delegates will be able to compile a checklist of relevant components and actions within their organisations that are directly relevant to the provisions of the POPI Act;
- The bespoke and distinguishing aspects pertinent to their organisation and industries of relevance for the purposes of the compilation of a data policy and general compliance implementation plan, will be able to be identified and communicated about by delegates;
- Delegates will be able to compile the outlines of a project management map regarding the compliance requirements pertinent to the relevant set of legislation;
- The technological landscape to the POPI Act and the incumbent hazards, and crucially also opportunities, to it will be rendered understandable to delegates;
- Delegates will be able to, at the very least, initialise the updating of their organisational documentation such as employment contracts, PAIA manuals, client terms and conditions, also to commence with their own privacy impact assessments and resultant initiatives.
Second Day Content Topics Outline:
Building on the material and records established during the first day, pertinent further topics that are dealt with are listed below. Some level of detail will be dealt with, which will be further amplified by additional digital material provided onsite.
- Identification and categorising of all data processing actions;
- Accountability and the allocation thereof for data processing purposes;
- Lawful processing of data further in detail;
- Authorisation, prior to processing and the effects of other legislation on retention and/or processing;
- Technological landscapes pertinent to cross-border exchanges or transportation of data;
- Minimum essentials and strategic considerations - Privacy Impact Assessment or Evaluation;
- PAIA requirements and the role of the (Joint) Regulator - records to be maintained;
- Data subject dealings - contact, requests and complaints;
- Sanctions, penalties, criminal and civil remedies, international scenarios and precedents;
- Verifying compliance credentials of operators and third parties, standard contract terms and disclaimers;
- Quality of records, security levels and authority policies, legal register, general maintenance, audits, spot- checks and analysis;
- Tailoring a bespoke technical solution, such as ICTCompliance CyberVault as one example only, setting of business rules - headlines;
- Budgeting for compliance, technology versus employee assessments, procedures for pre-compliance and insurance cover procurement;
- Breach reporting environment, comprehensive landscape orientation and step-by-step action path in the event of a breach having been identified.
The above example can also serve as orientation regarding the ICTCompliance approaches generally, with reference to other privacy and compliance regimes, as these basics are localised for application in the other prominent regions such as the USA, the European Union and others. We also have a tailored international module, focused on equipping clients to do cross-border business without having to be concerned about falling foul of different privacy and compliance regimes. This is of particular current relevance to the BRICS-related initiatives, as well.