PRESENTATION: DATE:

THE IMPLICATIONS OF POPI ON IT!

19 SEPTEMBER 2013!

Agenda!

Background!Practical assessment techniques!IT focus: Enabling the business!Remediation roadmaps!Business benefits!Questions & Answers!

Background: Overview!

•  The Protection of Personal Information Bill!•  To give effect to a person’s right to privacy (In RSA this includes

natural and juristic persons)!•  Govern the way in which personal information is processed by

companies!•  Personal information is:!

•  Any information that can be used to uniquely identify a person!•  Name, ID number, cell phone number, email address!•  Religious beliefs, information related to children, health etc.  

•  What does non-compliance mean?!•  Regulatory fines (up to R10 million)!•  Prison sentence!•  Regulatory audits!•  Reputational damage!

Background: Status

!Recent activity:!•  National Assembly approval on 20 August 2013!

!Next steps:!•  Translation!•  Signed into law!•  Commencement!

Background - Overview of the 8 POPI conditions!

1) Accountability!Responsible parties must ensure that the principles of the POPI Bill are complied with!

2) Processing limitation!Personal information may only be processed in a fair

and lawful manner, with the consent of persons providing their personal information!

3) Purpose specification!Personal information may only be processed for

specific and legitimate purposes!

4) Further processing limitation!Personal information may only be processed if it

is in line with the original purpose. Or additional consent obtained!

5) Information quality!Companies must put reasonable measures are in

place to ensure the quality of personal information they process!

6) Openness!Companies must keep formal record of the

personal information they process!

7) Security safeguards!Companies must ensure that reasonably

practicable controls are in place to ensure the safeguarding of personal information they

process!

8) Data subject participation!Persons must have the ability to request access

to their personal information and to update, delete their personal information held by a

company!

Practical assessment techniques!

1. Privacy Awareness

and Prioritisation!

2. Privacy Risk

Assessment!

3. Roadmap Design and

planning!

4. Develop Privacy

Governance & Control

Framework!

5. Implement

Privacy Governance

& Control Framework!

6. Monitor & Audit!

Figure 1: Mobius Consulting Information Privacy methodology!

Plan & Assess! Remediate! Business as usual!

•  Where are your privacy touch points?!•  What is the risk of a breach of your personal information?!

•  Reputation!•  Financial!•  Operational!•  Compliance!•  Social responsibility!

•  What is your perceived readiness?!

How big is your elephant and where do you take the first bite?!

Practical assessment techniques: !Where to start?!

Practical assessment techniques: !IT’s involvement!

Key activities!•  Understand Personal Information

processing (end-to-end)!•  Workshops!•  Process mapping!•  Dataflow mapping!

•  Risk assessment!•  Gap assessment!•  Remediation roadmap definition!

Critical Success Factors!•  Business ownership!•  Key stakeholder involvement!

•  Business process (end-to-end)!

•  IT/Information management!•  Legal/Compliance!

•  End-to-end business and data life-cycle understanding !

1. Privacy Awareness

and Prioritisation!

2. Privacy Risk

Assessment!

3. Roadmap Design and

planning!

4. Develop Privacy

Governance & Control

Framework!

5. Implement

Privacy Governance

& Control Framework!

6. Monitor & Audit!

Figure 1: Mobius Consulting Information Privacy methodology!

Plan & Assess! Remediate! Business as usual!

Practical assessment techniques: !IT’s involvement – Data Discovery!

Key activities!•  Network scan!•  Preliminary screening/Fingerprinting!•  Data classification scan!

1. Privacy Awareness

and Prioritisation!

2. Privacy Risk

Assessment!

3. Roadmap Design and

planning!

4. Develop Privacy

Governance & Control

Framework!

5. Implement

Privacy Governance

& Control Framework!

6. Monitor & Audit!

Figure 1: Mobius Consulting Information Privacy methodology!

Plan & Assess! Remediate! Business as usual!

IT focus: enabling the business!

1) Accountability!•  Privacy officer!

•  Deputy information officer!

2) Processing limitation!•  Identity & access governance (IAG)!

•  Consent storage!•  3rd party contracts!

3) Purpose specification!•  Data retention/destruction!

!

4) Further processing limitation!•  Contracting with 3rd party operators and

establishing security safeguards!!

5) Information quality!•  Input validation!

•  Data quality reporting!•  Data governance!

6) Openness!•  Data governance!

•  Incident logging and management!

7) Security safeguards!•  Risk assessment!•  Information security!

•  Identity & access governance (IAG)!•  Security awareness!

8) Data subject participation!•  Data governance!

World’s biggest data breaches!

Source: Information is beautiful!http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/!

International data breaches: Hacked/Poor security!

Security compromise!

Source: Digital trends!http://www.digitaltrends.com/mobile/evernote-hack-50-million-users-forced-to-reset-passwords/!

Remediation roadmaps!

•  Should address identified privacy gaps!•  Activities can be categorized as:!

–  Privacy governance!–  Training and awareness!–  Business process!–  3rd Party management!–  System changes, including Information security!

Remediation roadmaps: System changes and information security!

•  Perform an information risk assessment!•  Understand and identify security, system development

and change requirements to enable information security!•  Assess the current state of information security!

–  Security reviews (ISO 27000 etc.)!–  Vulnerability reviews (Internal & External)!–  Data discovery (structured and unstructured)!

•  Remediate information security gaps!•  Monitor system logs!•  Manage the quality of information processed!•  Drive electronic record management in line with record

retention policy and schedule!

Business benefits!

Is POPI just a compliance issue or can there be benefits for the business?!How can the investment in POPI compliance be leveraged to add value to the business?!!•  Rationalise architecture!•  Reduced expenditure on storage (physical and

electronic)!•  Business process improvement!•  Data quality!•  Compliance, security and incident management savings!•  Competitive advantage!

www.mobiusconsulting.co.za!

THANK YOU!

PRINCIPAL CONSULTANT!

LYNN MARTIN!

LynnMartin@mobiusconsulting.co.za!

mobile 083 397 0537!