POPI News Updates

ISM (INFORMATION SECURITY MANAGEMENT) TIPS FOR SMES – BYTE 10
ISM (INFORMATION SECURITY MANAGEMENT) TIPS FOR SMES – BYTE 10.png

In our tenth byte, we discuss the final policy statement you should include in your basic ISM policy as an SME: Conduct an Information Security Risk Assessment.

DATA PRIVACY ROUNDUP FOR 2024 Q3
DATA PRIVACY ROUNDUP FOR 2024 Q3.png

In this issue of our Data Privacy Roundup, we chat about some of the data breaches that have happened in South Africa and their impact on South Africans.

CAN OPERATORS USE DATA TO TRAIN AI AND IMPROVE SERVICES?
An operator is an organisation that processes personal information on behalf of a responsible party under.png

An operator is an organisation that processes personal information on behalf of a responsible party under a contract or mandate. Operators follow the responsible party’s instructions and may only make decisions about non-essential means to be used (e.g., what software to use).

JOINT STANDARD 1 OF 2023: IT GOVERNANCE AND RISK MANAGEMENT FOR FINANCIAL INSTITUTIONS
The_Joint_Standard_1_of_2023_on_IT_Governance_and_Risk.png

The Joint Standard 1 of 2023 on IT Governance and Risk Management from the South African Reserve Bank provides guidelines for financial institutions to handle IT risks. It highlights the need for strong IT governance to manage

ISM (INFORMATION SECURITY MANAGEMENT) TIPS FOR SMEs – BYTE 9
ISM (Information Security Management) Tips For SMEs – Byte 8.jpg

In this byte, we look at how you should manage and respond to data breaches or incidents. Most people know about the security notification requirements in POPIA

DATA PRIVACY ROUNDUP FOR 2024 Q2
DATA_PRIVACY_ROUNDUP_FOR_2024_Q2.jpg

In this issue of our Data Privacy Roundup, we highlight the Information Regulator’s new eServices portal, and their updates to the guidance note for political parties

ENFORCEMENT NOTICES ISSUED BY THE REGULATOR IN TERMS OF POPIA
ENFORCEMENT_NOTICES_ISSUED_BY_THE.jpg

Since last year (2023), the Information Regulator (Regulator) has issued five enforcement notices due to data breaches suffered by responsible parties. The Regulator held a media briefing and summarised the

WHEN POPIA DOESN’T APPLY
cover_image_1583270284.jpg.760x400_q85_crop_upscale.jpg

When an organisation doing business in South Africa asks ‘Does POPIA apply to us?’ The answer is yes. Even if an organisation doesn’t use personal information to deliver its products or services

Data Privacy Roundup For Q3 2023 - Q1 2024
Data Privacy Roundup For Q3 2023 - Q1 2024.png

In this issue of our Data Privacy Roundup, we uncover the significant improvements made by the Information Regulator in enforcing data privacy regulations

ISM (Information Security Management) Tips For SMEs – Byte 8
ISM BYTE 8.png

In this eighth byte, we break down the next policy policy statement you should include in your basic statement you should include in your basic ISM ISM policy – manage third parties.

Are You Being Watched? The Legality Behind Workplace Monitoring
monitoring image.png

In this post-Covid era, many organisations have adopted a hybrid working model to support their employees. These organisations face the challenge of balancing monitoring employee activities

Navigating The Delicate Balance Of AI And Privacy
AI image.png

As technology rapidly evolves, artificial intelligence (AI) has emerged as a significant innovator across various fields. While AI enhances daily life, it also introduces significant privacy, data security, consent,

ISM (Information Security Management) Tips For SMEs – Byte 7
safe_info

In our seventh byte, we will break down the next policy statement you should include in your basic ISM policy – information availability. That is, you must ensure that you backed up

Telemarketing In South Africa: Navigating The POPIA Landscape
call_agency

The telemarketing sector in South Africa is currently undergoing significant regulatory scrutiny. The Information Regulator is taking a strong stance against direct marketers.

What Is It About Personal Information Which Is ‘Publicly Available’ Or ‘In The Public Domain’?
publicly shared info

Every so often, a client will say, ‘But that personal information is publicly available, so POPIA does not apply’ … and unfortunately, one has to tell them that this statement is false. POPIA applies to all personal information (unless it is de-identified etc),

More About … Information Matching Programmes
information_matching

To get a POPIA code of conduct accredited, a POPIA code of conduct must specify appropriate measures for information matching programmes if such programmes are used within the specific relevant sector.

Information Security Management Tips For SMEs – Byte 6
Issue 24 Information Security Management Tips For SMEs – Byte 6 May 2023

In our sixth byte, we will break down the third policy statement you should include in your basic ISM policy – taking appropriate, reasonable technical and organisational measures to protect the information within your possession or control.

Data Privacy Roundup For Q1 Q2 2023
Issue 23 Data Privacy Roundup For Q1 Q2 2023 May 2023

This is another roundup of the interesting articles, events and guidance released by data protection regulators worldwide, which we have found interesting, informative and valuable from the first and second quarters of 2023.

Do Privacy Rights Exist Concerning The Personal Information Of Deceased Persons
Issue 22 Do Privacy Rights Exist Concerning The Personal Information Of Deceased Persons May 2023.jpg

POPIA doesn’t apply to deceased persons’ personal information – end of the story, right? This is the typical answer we receive to this question. However, the answer is a little more nuanced than that.

Gerber V PSG Wealth Financial Planning
Issue 21 Gerber V Psg Wealth Financial Planning May 2023

Another day, another data breach! Recently (in March 2023), the South Gauteng High Court handed down another interesting judgment related to liability for financial loss caused by cybercrime. To be more specific, in the judgment of Gerber v PSG Wealth Financial Planning 1 , the judge had to deal with the following issue:

ISM (Information Security Management) Tips For SMEs – Byte 5
March 23_Issue No 20_ISM Tips for SMMEs_Byte 5.jpg

In our fifth byte, we will further break down the second policy statement a basic ISM policy should include – access control. We will also discuss what implementing this policy statement entails and tips for doing so within an SME environment with limited time and resources.

Data Privacy Round Up For Beginning Of 2023
March 23_Issue No 19_Data Privacy Roundup 2023.jpg

This is another roundup of the interesting articles, events and guidance released by data protection regulators worldwide, which we have found interesting and informative in the first few months of 2023.

The Impact of AI On The Legal Industry
March 23_Issue No 18_The Impact of AI on the Legal Industry.jpg

Lawyers should pay attention to the implications of AI on the legal industry as it will impact how they currently perform services and how they do their work in the future. By automating routine and time-consuming tasks, AI allows lawyers to concentrate on more cost-effective tasks, make better-informed decisions and spend more time on preparation.

What We Think About … Hawarden V Edward Nathan Sonnenbergs Inc
March 23_Issue No 17_ENS Case Comments 2023.jpg

Recently (in January 2023), the South Gauteng High Court handed down a very interesting judgment relating to liability for pure economic loss caused by insufficient or inadequate cybercrime security safeguards.

ISM (Information Security Management) Tips For SMEs – Byte 4
Issue no 16_ISM Tips for SMMEs_Byte 4.jpg

In our fourth byte, we will further break down the first policy statement that a basic ISM policy should include – classifying your information. We will also discuss how to implement this policy statement within an SME environment with limited time and resources.

Data Privacy Roundup For Year-end 2022
Issue no 15_Data Privacy Roundup 2022_2023.jpg

This is another roundup of the interesting articles, events and guidance released by data protection regulators worldwide which we have found informative and valuable as of the end of 2022 going into 2023.

How Does POPIA Apply To Litigation Proceedings?
Issue no 14_POPIA and Litigation.jpg

One of the general exclusions for POPIA (as set out in section 6(1)(c)) is that POPIA does not apply to ‘judicial functions of a court’. In one of our ‘tricky areas’, we have asked how far or to what this exclusion would extend.

Handle Data Subject Requests Like A Boss
Issue no 13_DSR Like A Boss.jpg

What is a ‘Data Subject Request’? We made up the phrase ‘Data Subject Request’. It is used in the context of the EU GDPR, but usually to describe requests for deletion or erasure. We use it to describe any instance where a data subject is trying to exercise one of their data-subject rights largely listed in sections 23 to 25 of POPIA.

IsM Tips For SMes – Byte 3
Issue_no_12_ISM_Tips_for_SMEs_Byte_3.jpg

In our third byte, we discuss what we would put in a basic Information Security Management (‘ISM’) Policy for an SME. This gives you a general idea of what policy statements and topics your ISM policy should adopt and address.

Data Privacy Round Up For 2022 So Far
Issue_no_11_Data_Privacy_Roundup_September_October_2022.jpg

This is another roundup of the interesting articles, events and guidance released by data protection regulators worldwide, which we have found interesting, informative and valuable as of September/October 2022.

Public CCTV Surveillance And Popia – How Do These Two Work Together?
Issue_no_10_CCTV_Monitoring_and_POPIA.jpg

Governments' surveillance of their citizen has seen a massive uptick in the recent years (especially with Covid-19). There is an extreme example of massive public surveillance in China.

Handle Data Subject Requests Like A Boss – Access Requests
Issue_no_9_DSAR_Like_A_Boss.jpg

What is a ‘Data Subject Request’? We made up the phrase ‘Data Subject Request’. It is used in the context of the EU GDPR, but usually to de- scribe requests for deletion or erasure.

ISM Tips For SMEs - Byte 2
Issue_no_8_ISM_Tips_For_SMEs_Byte_2-1_1.jpg

In our next byte, we will discuss documenting the ISM technical and organisational measures you have implemented within your organisation. Remember the series of questions we asked last time (e.g. do you have a data breach response plan

Data Privacy Round Up For 2022 So Far
Issue_no_7_Data_Privacy_Roundup_For_2022_So_Far-1_1.jpg

This is another roundup of the interesting articles, events and guidance released by data protection regulators worldwide

Are Background Checks Legal Under POPIA?
Issue_no_6_Candidate_Background_Checks_and_POPIA-1_1.jpg

Undoubtedly, background checks are super invasive and require A LOT of personal information. These days, background checks are part and parcel of many application processes

Vetting and Screening Data Subjects Under POPIA
Issue_no_5_Vetting_and_Screening_Data_Subjects_Under_POPIA-2_1.jpg

Is it possible to ‘vet’ or ‘screen’ or dare we say ‘profile’ data subjects for their eligibility or suitability for certain goods and services under POPIA?

Data privacy roundup for 2022 so far
Data privacy roundup for 2022 so far.jpg

We read a lot about data privacy at home and abroad. This is just a roundup of the interesting articles, events and guidance released by data protection regulators...

ISM Tips for SMMes - Byte 1
ISM Tips for SMMes - Byte 1.jpg

Why ISM tips for SMMEs? We’ve been doing this for a while and have noticed that this is one area of POPIA compliance that smaller organisations battle with. Keeping any information...

B2B Direct Marketing and POPIA - What's the deal?
B2B Direct Marketing and POPIA - What's the deal?.jpg

There’s been a lot of hoo-hah about POPIA’s impact on direct marketing in the business-to- consumer (B2C) space. But what about POPIA’s impact on direct marketing in the business-to- business (B2B) space?...

To scrape or not to scrape personal information?
To scrape or not to scrape personal information.jpg

The Information Commissioner’s Office (ICO) recently fined Clearview AI Inc £7,552,800 for collecting images of people from the UK from the internet and creating an online database with the images.

Info Wars Episode IX
Info Wars Episode IX.png

We discuss how Direct Marketing can still thrive under the rule of POPIA and why telemarketing was left out of discussion under the Act.

How to write contracts that matter
How to write contracts.png

Here’s ten principles to keep in mind and apply when drafting contracts that will better the user’s experience and make it much more palatable when consuming all the information.

Are you mature enough for POPIA
image-002.jpg

We explain what information governance is and why it is so important to do an information governance maturity assessment before starting a POPIA project.

Does data minimisation spark joy
Does data minimisation spark joy.png

We discuss the POPIA requirement of ‘minimality’ (as referred to in Section 10 of POPIA) and its benefits for organisations when they implement it.

Hacking data breaches: we need a new breed of compliance officer
Hacking data breaches.png

We list the knowledge and skill requirements necessary for Compliance Officers to properly manage their organisation’s Information Security and what organisations need for adequate Incident Response Management.

Direct marketing and the dreaded consent
Direct marketing and the dreaded consent.png

We discuss what Direct Marketing and Consent are, when it’s necessary to obtain consent, when not to and what it should look like.

The C-word
the c-word.png

We discuss Consent, one of the six lawful grounds for processing personal information; what it means, in what circumstances it’s not necessary to ask for consent and if you do need to - how to ask and how to manage it.

POPIA compliance and Codes of Conduct
image-002.jpg

We discuss what a Code of Conduct is, the purpose of a Code of Conduct, and what specific issues should be regulated under a Code of Conduct.

Get the right Operator contracts in place in 6 simple steps
Get the right Operator contracts in place in 6 simple steps

POPIA requires a Responsible party to conclude a written agreement with all its operators. We discuss what an Operator is in terms of the POPIA and provide six steps that you should follow to help you comply with this requirement.

Our top five favorite privacy notices
Our top five favorite privacy notices.png

We discuss the POPIA requirement of ‘minimality’ (as referred to in Section 10 of POPIA) and its benefits for organisations when they implement it.