POPIA panel discussion with the Regulator on 3 Aug 2020

Video link: POPIA Panel Discussion with the Information Regulator

• Advocate Pansy Tlakula
• Mr Sizwe Snail
• Adv Colleen Weapon
• Adv Lebogang Stroom
• Nathan-Ross Adams
• Claire Williamson, Group Compliance Officer, Mr Price Group
• Sicelo Kula
• John Giles
• Mark Heyink

TRANSCRIPT 

Intro - The importance of Privacy

• [15:20] EU Courts struck down the EU-US Privacy Shield (SHREMSII case, 16 July 2020)
• [24:28] Prior Authorisation is a priortised issue, guidance is forthcoming

[26:30]-[29:43] Claire Williamson, MR Price - what it takes to achieve compliance

• [27:10] We have achieved and completed quite a few quick wins in the last while, it's a team effort
• [27:18] Support of management and project sponsors who see the value in protecting PI as a business asset, most NB, protecting valued customer information.
• [27:35] the importance of the Data protection Team, the evolution of the team in Mr Price since (she joined the group), 3 of them multiple hats - have establish greater data protection team with reps from all areas of ye business + IT (…and also IT who is also an important part of this process). The Data protection team - willingness to participate is critical
• [28:24] support form all of our associates outside the DP team - to be willing to learn more about data protection - [28:40] early days for awareness & training
• [28:48] Data protection gap analysis is underway. Gaps highlight areas that need enhancement to protect data, outlay from human & financial resources
• [29:23] Support from the Regulator, guidance and advice is needed

[29:46] Q&A Mr Sizwe Snail

• [30:17] What advice do you have for an organisation wondering what their next steps should be
• First - compliance must be addressed during the grace period. Use this period to get your house in order.
• Watch for advice from the Regulator - seek clarification on the Act
• [31:45] What are the first things that RP should focus on
• Point of departure - the 8 conditions for lawful processing (the eight principles). Understand that they are collective duty, you need to respect them collectively. Understand how they apply to you
• [32:38] What is the likelihood of extending the grace period, what is the likelihood of action
• This time is to be used to get compliant.
• No view of an extension at this time.
• Regulator will definitely be enforcing at the end of the grace period.
• [34:10] How do we enable data flows to South Africa, ensure that EEA are able to export data to data importers in SA
• Varsa Sewlal - PI received from other countries - POPIA will apply. Section 72 apply to data flowing out of the country, guidelines are forthcoming
• [36:06] The draft guidelines on Registration of the IO, will the IDIO be held responsible for POPIA compliance?
• Adv Colleen Weapon - an IO can be held liable (REF. draft guidelines) , Accountability of the IO, despite delegation of duties.
• [37:31] when will the Reg take over PAIA form the Health Commission, will the current exemptions for PIAI manuals be extended?
• Lebogang Stroom - s115(1) they are finalising the handover to be completed by 30 June 2021
• PAIA grace period ends in Dec 2020 - it has been resolved that the HRC will formally ask for an extension to a viable time period when the Regulator has taken over the function
• John Giles - be careful of paying a lot of money to get a PAIA manual done if you are a small business
• [40:53] Foreign law, international best practice - how much will these apply to the development of POPIA guidelines.
• Varsa Sewlal - Foreign law, international best practice - how much should we look at foreign law & best practice to interpret POPIA esp. GDPR?
• Reg will benchmark with foreign jurisdictions & does take account of International best practice in the further dev of POPIA
• In some respects POPIA offers more extensive protections. the GDPR does not necessarily afford more extensive protection than POPIA
• [44:13] Dependencies - if the RP has to do something eg regitration of the IO can only be done once the facility is in place. - will take a collective effort - limited resources in the Regulator - we have got be creative to find answers to these questions. Michalsons will try to facilitate questions thru to the Regulator
• Nathan Ross - key themes
• [46:21] Where do companies start?
• John Giles - do a Organisational Impact Assessment - what is the impact of POPIA on your org, what does it mean for you? There is no one size fits all. E.g. nuts & bolts manufacturer vs direct marketer and profile people
• It is important to get your governance right for Data protection - Mr Price have a Team and a variety of role players.
• Identify your IO is, who the team is to support them, and who the champions are in diff areas in your business, & gov body impact
• Software tools that can help you
• Gap analysis - compare your org with the law, and take action to fill those gaps by the end of the grace period
• [46:16] Mark Haylek - things that need to be address by the Reg - in a number of instances - not seeing the necessary to look at codes of conduct in particular industries and professions. These become very important. They setout the Nuances of how sectors will deal with Data Protection
• [50:01] Mark Haylek - Issue of Prior Authorisation - there are many areas and organisations that will require it - if there is a Code of Practice in place, that need goes away. Professional bodies need to contribute to this.
• [50:58] How technologies are being dealt with - novel in SA - will have to learn how to use the technologies to help us with Data protection, especially if you're processing large volumes of information - they will need tools. Look at this early in your programme. Go seek guidance from the Reg.
• [52:30] Adv Colleen Weapon - Prior Authorisation & IO registration
• Guidance note will be issued on prior auth
• Reg of IO - busy receiving submissions on the draft guidelines (16 Aug 4pm)

Closing

• Michalsons wants to consolidate feedback comments
• Work together to achieve common compliance requirements
• RP & IO need to be mindful of economic constraints, and the need to for the Regulator to prioritise what is addressed first. Enforcement priorities must be respected for the Act to be effective. Consultation and collectivism is key.